Daylila

Cybersecurity · Monday, 8 June 2026

01 · Briefing · what happened

A phone call, not a hack — extortion gang talks its way into law firms

Cybersecurity 4 min 61 sources

A gang is calling US law firms while pretending to be their own IT desk, stealing client files within hours. Plus a US surveillance law nears its deadline, and the case for passkeys.

Key takeaways

  • A gang is phoning US law firms while pretending to be their own IT help desk, then talking employees into installing remote-access software — stealing client files within hours, no software hack needed.
  • If "IT" calls and asks you to install something, hang up and call back on a number you already trust; a real help desk won't mind.
  • A US surveillance law (Section 702) nears a Friday renewal deadline amid a fight over Trump's intelligence-chief pick, and security agencies keep urging passkeys because they remove the shared secret an attacker can steal or phish.

A quiet day for big breaches, but a loud one for an old trick getting sharper: talking your way in. The dominant story today is an extortion gang that doesn’t bother breaking software at all. It just calls you and pretends to be your own help desk.

The help-desk impostor

A gang known as the Silent Ransom Group is actively calling US law firms, pretending to be their internal IT support, and stealing client files within hours, according to a new report from the security firm Mandiant [1]. It follows an FBI advisory last week warning the same group was targeting law firms [1].

Here is how it works, and why it works. The attack starts with a dull email — a fake invoice from an ordinary-looking address, with no link and no attachment to trip an alarm [1]. The email’s only job is to prompt a phone call. On that call, someone claiming to be IT asks the employee to join a remote-support session over a normal tool like Microsoft Teams or Zoom, then to install a remote-access program [1]. The moment that program is running, the caller is inside the network — invited, not breaking in.

Once inside, the group hunts for contracts, tax records, Social Security numbers, and merger files, then copies them out [1]. Mandiant says the gang is fast and aggressive: ransom demands often arrive within 30 minutes of the attackers leaving, with a three-day deadline [1]. If the firm stays silent, the gang threatens to call and email the firm’s own clients to tell them their data was taken [1].

Why law firms? Mandiant’s answer is plain: they hold concentrated piles of extremely sensitive client material, and they have strong reasons to pay quietly rather than face clients and regulators [1]. The gang has been at this since at least 2022, when it was part of the Conti ransomware crew; it has since dropped file-scrambling entirely and now just steals and extorts [1].

The lesson here is not about any one flaw. There was no zero-day — no secret software bug with no fix. The attackers used the most reliable opening in any organisation: a helpful person who wants to do their job. If your “IT department” calls and asks you to install something so they can fix a problem, hang up and call IT back on a number you already have. A real help desk will not mind.

A surveillance law runs down the clock

Congress faces a Friday deadline to renew Section 702 of the Foreign Intelligence Surveillance Act — the law that lets US spy agencies read the emails and messages of foreigners abroad without an individual warrant [3]. The Senate blocked a first attempt to debate it on Friday [3].

What jammed it is a fight over people, not surveillance powers. President Trump named Bill Pulte — who has no security-field experience and keeps his job running the federal housing-finance agency — as acting intelligence chief [3]. Lawmakers in both parties called the choice unqualified; one Democrat described its timing as throwing “a live hand grenade” into the debate days before the deadline [3]. Democrats, whose votes the bill needs, say they will not back renewal unless Trump reverses the appointment [3].

Why it matters to an ordinary person: Section 702 is aimed at foreigners, but Americans’ communications get swept in when they talk to those targets — which is why the law is fought over every renewal [3]. If it lapses, agencies lose a major collection tool overnight; if it renews unchanged, the same sweep continues. Either way, what’s being decided this week is how much of everyone’s traffic the government can read without a warrant. Nothing is settled yet [3].

Why experts keep pushing passkeys

A reader asked a fair question this week: how can a PIN on your phone be safer than a long password with a second check? [13]

The short answer is what a passkey isn’t. A password is a secret you tell a company’s server — so it can be stolen from that server, guessed, or phished out of you on a fake login page. A passkey is a secret your device keeps and never hands over; the site only ever sees proof that your device approved you. There is no shared secret on a server to steal, and a fake login page has nothing to capture [13]. That’s why the UK’s National Cyber Security Centre — the government’s cyber-defence agency — and others favour them [13]. Losing the phone is the obvious worry, but passkeys sync across your devices and sit behind the phone’s own lock, so a thief needs both the device and the way into it.

It connects to the day’s lead story. The law firms weren’t beaten by weak passwords either — they were beaten by trust. No single setting fixes that. But removing the shared secret, and removing the reflex to do what a confident voice on the phone tells you, both close the same kind of door.

02 · Lesson · why it matters

The front door is a helpful person, not a locked machine

Most attacks now skip the software and aim at the human reflex to help — which is why no firewall protects the moment a trusted voice asks for a favour.

The attack that isn’t a hack

Today’s gang did not break any software. They phoned a law firm, said they were its IT department, and asked an employee to install a small program so they could fix something. The employee said yes. That yes was the whole intrusion. Within hours, client files were gone.

It is worth sitting with how ordinary that is. There was no secret flaw, no clever code, no alarm to trip. The strongest lock in the building — the trained, careful, well-meaning employee — opened the door from the inside, because someone confident asked them to do their job.

Why the helpful reflex is the target

Every organisation runs on people doing favours for people. IT really does call. Colleagues really do ask for quick installs. The system needs employees who say yes to reasonable requests, or nothing gets done. That cooperation is not a weakness to be drilled out — it is the thing that makes the place work.

The attacker knows this. So they don’t attack the software, which is patched and watched. They attack the reflex, which can’t be patched. They borrow the voice of something you already trust — your own help desk — and ask for exactly the kind of small, reasonable thing you say yes to a dozen times a week. The defence and the vulnerability are the same trait. That is what makes it hard.

One yes, a thousand strangers

Watch how far that single “yes” travels. It wasn’t the employee’s own files that left. It was the clients’ — their contracts, their tax records, their merger plans, their Social Security numbers. People who never took the call, who don’t know the firm’s IT department exists, whose worst day this week was decided by a stranger answering a phone in an office they’ve never seen.

This is the shape of the thing. The systems we live inside are tied together by trust, and trust does not stay where you put it. A bank holds your money on the same logic. A hospital holds your records on it. A supplier three steps up a chain you’ve never heard of holds the key to a factory that makes your medicine. The person at the desk and the stranger an ocean away are the same system. The weak link is never only the weak link’s problem — it is everyone downstream of it, which is nearly everyone.

The cure isn’t being clever

It would be easy to read this and feel a little superior — I’d never fall for that. But the gang isn’t catching fools. It catches careful people on a busy Tuesday, because confidence on the phone is genuinely hard to tell from authority on the phone, and the difference is invisible from where any one person sits. You cannot see the whole network from your own desk. You only see the request in front of you, and it looks fine.

The honest move is smaller than cleverness. It is to notice that you can’t verify a voice, and to build one cheap habit around that limit: when something asks you to open a door, check the door through a path you already trust — hang up, call the number you already had. Not because you’re sharp, but because you know you can’t tell. The same humility runs underneath the passkey advice and the surveillance fight in today’s briefing: remove the shared secret a stranger could borrow, and assume you are inside a system far larger than your view of it. Seeing that whole doesn’t make you safe. It makes you careful — which, for a node in a network you can’t see, is the most honest thing to be.

03 · Lab · your turn

Verify or Comply

Rehearse the help-desk-impostor call and feel why verifying through a trusted path beats a helpful "yes."

More from Cybersecurity

An AI found 21 hidden flaws in software you already use — for about $1,000 Malware is learning to adapt, and the main guardrail is voluntary Your AI assistant will do what it's told — even when the order comes from a stranger

Across the beats

Banks are planning deep AI job cuts while Walmart promises AI will help — same tool, opposite stories SpaceX is about to sell for $1.75 trillion — and the "Dean of Valuation" says don't buy Hundreds of cheap drones, and one at the edge of Chernobyl — the war's reach no longer follows the money