Would You Trust a “Quick IT Support Call” at Your Law Firm—or Is It a Vishing Attack in Disguise?

A “quick IT support call” sounds harmless. At a law firm, it can also be the moment everything goes sideways. The Silent Ransom Group (also tracked as UNC3753, Luna Moth, and Chatty Spider) is using invoice-themed emails as bait, then jumping to phone calls that push staff into remote support sessions. No malware attachment. No flashy exploit. Just pressure, urgency, and a familiar script. If your firm runs on trust and time-sensitive client work, you’re exactly the kind of place this hits hardest.

What SRG is really doing (and why law firms are perfect targets)

The Silent Ransom Group (SRG)—also tracked as UNC3753, Luna Moth, and Chatty Spider—isn’t playing the “classic ransomware” game a lot of firms still picture. They’ve shifted hard into data-theft extortion: get in, grab sensitive files, and threaten exposure. No need to deploy noisy encryption across your network if they can pressure you with what they already stole. Mandiant notes this group has moved away from “traditional ransomware encryption” and is focused on stealing data and pushing victims to pay to prevent leaks.

That shift matters for law firms because your worst-case scenario often isn’t downtime—it’s disclosure.

SRG’s real product is pressure

Legal work runs on confidentiality, deadlines, and reputation. SRG is built to weaponize all three. Mandiant calls legal services firms “high-value targets” because they hold concentrated stores of client transaction files, M&A plans, trade secrets, and corporate regulatory reports, and because the reputational and regulatory fallout makes firms more likely to want the issue handled quietly.

SRG’s play is simple:

• Steal sensitive client data
• Threaten to leak it
• Bank on the firm’s need to protect clients, privilege, and professional standing

Why invoice + “IT support” works so well on law firms

Attackers aren’t guessing. They’re leaning into normal law-firm reflexes:

1. Billing issues get fast attention. An “invoice” complaint hits the exact people trained to resolve payment friction quickly, before it becomes a client problem. Mandiant observed SRG starting with invoice-themed phishing emails that act as a setup for the next step.
2. IT interruptions get even faster attention. When someone claims they can “fix it right now,” staff feel pressure to keep attorneys moving. SRG uses follow-up phone calls impersonating corporate IT/help desk to push the target into a remote support session.
3. The scam avoids the usual “email red flags.” These invoice emails can be “clean” (no malicious link, no attachment), which lowers defenses and increases the chance someone follows the callback path.

If you’re a managing partner, an office manager, or the person who just wants the printer/Teams/VPN problem to stop eating the morning—this is the trap. SRG isn’t trying to out-hack your tools. They’re trying to out-rush your people.

The full chain: invoice email → fake help desk call → remote session → RMM install

If you want to spot an SRG (UNC3753 / Luna Moth / Chatty Spider) vishing attempt early, you need to recognize the sequence, not just a single red flag. Mandiant’s write-up makes it clear this is a callback phishing style flow: a benign-looking email sets the hook, and the voice call does the real damage.

Step 1: The invoice email (the “boring” opener)

The campaign often starts with an invoice-themed phishing email sent from consumer email accounts. No malware attachment. No malicious link. The point is to start a billing thread that feels routine and time-sensitive.

What SRG gets from this step:

• A reason to talk to a real human
• The right internal contact (billing, admin, front desk, practice coordinator)
• A context that makes urgency feel justified

Step 2: The fake help desk call (vishing + impersonation)

Next comes the phone call: attackers impersonate IT help desks / corporate IT staff and push for immediate “troubleshooting.”

This is the moment where a law firm’s normal habits get exploited:

• “We can’t pause intake.”
• “A partner needs this fixed now.”
• “I don’t want to be the blocker.”

Step 3: The remote session (they pick tools your staff already trusts)

In the current activity, SRG convinces employees to join remote support sessions using common platforms:

• Microsoft Teams
• Zoom
• Quick Assist
• Microsoft Terminal Services

Nothing here looks like a “hacker tool” to a busy staffer. That’s the point.

Step 4: The RMM install (initial access that looks like IT work)

During the session, they trick the user into installing legitimate remote monitoring and management (RMM) tools—giving the actor the keys without “breaking in.” Mandiant specifically names:

• AnyDesk
• Zoho Assist
• Bomgar
• SuperOps

Once that’s in place, the attacker doesn’t have to keep sweet-talking on the phone. They can operate with persistent remote access that blends into normal IT activity.

The stealth helpers that keep the scam “clean”

SRG adds two smart layers to reduce obvious traces:

1) Lookalike IT portal domains

Mandiant observed phishing domains impersonating internal IT portals using patterns like:

• <organization>-itdesk[.]com
• <organization>-it[.]com
• <organization>-helpdesk[.]com

It’s a small trick with a big payoff: the URL looks like something a firm might actually use.

2) privnote.com for links and commands

They also use privnote[.]com (self-destructing notes) to share installation links and commands during the remote support session. Mandiant notes this helps reduce forensic artifacts in browser history and corporate chat logs.

If you’re training staff, this is the line to hammer home: a “secure note” link during an IT call isn’t a safety feature—it's often a cover.

The 30-minute problem: what they steal, how they move it, how they pressure you

Once SRG has hands-on access, the clock starts. This isn’t the slow, smash-and-grab breach most firms imagine. Mandiant describes it as highly aggressive, with ransom demands often arriving within 30 minutes of the attackers leaving the victim environment.

That speed changes your options. If your internal “we’ll investigate and get back to you” muscle memory kicks in, you’re already behind.

What they’re hunting (it’s not random files)

SRG goes straight for the stuff that creates legal, regulatory, and client fallout. Mandiant says they search for sensitive legal and financial documents, including:

• Contracts
• Tax records
• Social Security numbers (SSNs)
• Merger or acquisition files

They also commonly target document management platforms and cloud storage repositories because that’s where a firm’s “one source of truth” lives.

How they move it out (quiet tools, fast exits)

Exfiltration doesn’t require exotic malware. Mandiant notes SRG commonly exfiltrates using tools such as:

• WinSCP (file transfer client)
• Rclone (cloud storage transfer/sync tool)

Both can look like normal admin activity when you’re not watching closely. That’s part of why these cases escalate fast: by the time someone notices “something feels off,” the data may already be gone.

How they pressure you (the threat is social, not technical)

Mandiant reports extortion letters that:

• Arrive fast and push a three-day deadline to respond and start negotiations
• Threaten to call and email employees and external clients directly if the firm doesn’t respond
• Explicitly warn the leak will damage client trust, invite regulatory fines, and even suggest clients could sue for mishandling data

This is the part many law firms underestimate. The attacker isn’t just saying “pay us.” They’re threatening to turn your own relationships—staff, clients, counterparties—into the delivery mechanism.

If you’ve ever had to manage an awkward billing dispute, a sensitive filing, or a client who’s already on edge, you already understand the fear they’re selling. They just compress it into 30 minutes.

Defenses that actually work (tight policies + small technical guardrails)

SRG’s whole advantage is speed plus social pressure. So your best defenses aren’t complicated. They’re repeatable under stress, and they remove the attacker’s ability to “talk” someone into privileged access.

Mandiant and the FBI call out the same basics: strict verification procedures for IT support interactions, plus limits on remote tools, MFA, USB restrictions, and voice-phishing training.

Lock down the human entry point (policy you can run at 9:12 a.m.)

The goal is to make “a quick IT support call” a dead end unless it’s validated.

Non-negotiable rule: IT never gets access through an inbound call.

• Hang up.
• Call back using a known-good number from your internal directory, ticketing portal, or vendor contact list (not the number the caller gives you).
• If the caller resists a callback, treat it as confirmation.

Front desk / assistant script (keep it simple)

Give the people who answer phones a script that’s easy to use without feeling awkward:

1. “What’s your ticket number and department?”
2. “I’m going to call you back through our official IT line.”
3. “If this is urgent, log it in the ticketing system and our IT team will route it.”

No arguing. No explaining. Just a process.

Training that matches the attack (vishing + callback phishing)

Most “security awareness” is still stuck on links and attachments. This campaign isn’t. Train specifically on:

• Vishing (voice phishing) and callback phishing
• How attackers use “remote support” language to sound normal
• What “privileged actions” look like in plain English: remote access, software installs, MFA resets, password changes

Mandiant and the FBI explicitly recommend training employees to recognize voice phishing attempts.

Reduce the blast radius (small guardrails with big payoff)

Assume someone will eventually pick up the phone. Your controls should still prevent a single mistake from becoming full access.

1) Treat remote support like admin access

Any request to:

• start a remote session,
• install remote tools,
• approve a security prompt,
• change authentication settings,

…should be handled like it’s a partner-signature moment. Slow it down.

2) Limit remote access tools (and block the rest)

Mandiant/FBI recommend limiting remote access tools.

Practical version:

• Maintain an approved list (exact apps, exact download sources).
• Block execution/installation of unapproved remote tools where you can.
• If your MSP uses an RMM, require it to be pre-installed by IT. No “install this real quick” during a call.

3) Enforce MFA everywhere it matters

Mandiant/FBI call out enforcing MFA.

Make MFA meaningful:

• Protect email, document systems, and admin consoles.
• Tighten MFA resets (no reset via phone without identity checks).

4) Restrict USB storage

It’s old-school, but it still shows up in real intrusions. Mandiant/FBI also recommend restricting USB storage devices.

If you can’t ban USB outright:

• Limit to encrypted corporate drives.
• Log and alert on mass file copies.

These moves aren’t glamorous. They work because they turn a high-pressure phone call into a set of gates the attacker can’t sweet-talk past.

Why takedowns are messy: fast-flux leak infrastructure (and what your firm should do anyway)

A lot of incident plans quietly assume this: “If it gets posted, law enforcement or the host will take it down.”

SRG’s ecosystem is built to make that assumption fail. Resecurity reported the group is operating fast-flux infrastructure to hide and protect its data-leak platforms, including a leak site referenced as business-data-leaks[.]com.

Fast-flux, explained like you’re on a deadline

Normally, a website lives at an IP address (or a small set of them). Block the IP. Work with a provider. Pull it offline.

With DNS fast flux, the attacker constantly rotates a domain’s IP addresses through a large pool of compromised devices. That means the same leak domain can “move” again and again, making blocking and takedowns far more difficult.

Resecurity also noted SRG’s infrastructure uses residential IP addresses across multiple countries and ISPs, which adds friction for both blocking and legal action.

Why this matters to a law firm (even if you’re not “technical”)

Fast-flux changes the practical reality of a leak event:

• Domain blocking is whack-a-mole. The IP can change before your blocklists propagate.
• Seizure is harder. You’re not dealing with one neat hosting provider relationship.
• Time buys them resilience. Once the data is out, their publishing infrastructure is designed to stay online under pressure.

So “we’ll just take it down” isn’t a plan. It’s a hope.

What your firm should do anyway

This is the uncomfortable takeaway: the most controllable moment is before exfiltration, not after publication.

If you’re prioritizing controls, prioritize the steps that prevent the leak from existing:

1. Stop the initial intrusion (SRG’s entry is social engineering heavy).
2. Detect and disrupt data access to document management systems and cloud repositories early.
3. Limit outbound data movement so tools like WinSCP/Rclone can’t quietly run for long.
4. Have a communications plan that doesn’t depend on the attacker’s site being removed.

Takedowns can still happen. Sometimes pressure works. Just don’t build your response strategy around it—SRG’s infrastructure is designed to survive the exact kind of pressure victims count on.

‍