Serving Orange County, CA - Based in Irvine  ·  (949) 274-8774
Case Study 2026-03-15 · 6 min read

Case Study: Law Firm Turns Nagging Security Worry Into Real Protection

A growing law firm. Sensitive client files. And a nagging feeling that their email wasnt as secure as it should be.

Thats where this story starts.

Client Snapshot

Client: 21person regional law firm in Southern California
Industry: Legal services
Services from Beshore IT: Security Operations, Managed IT, Microsoft 365 Management

The Problem (In Their Words)

The firm was adding attorneys and staff across multiple locations. Email and Microsoft 365 had become the backbone of the practice  from intake to settlement.

Behind the scenes, though, things felt shaky:

  • There was no internal IT team  a techsavvy office manager and some break/fix help were doing their best.
  • Partners kept hearing stories about law firms losing money to email-based fraud and wire scams.
  • No one could clearly answer a simple question:

If someone got into one of our accounts, how would we even know?

They werent looking for a scary security presentation. They just wanted to know that:

  • Someone was watching their Microsoft 365 environment
  • Email-based attacks like phishing and business email compromise would be caught early
  • They would get clear communication when something looked wrong

The Plan

Beshore IT designed a security operations stack built around how this firm actually worked.

1. Wazuh SIEM Watching Microsoft 365 and Endpoints

First, we deployed a Wazuh-based SIEM to collect and correlate security events from:

  • Microsoft 365 sign-in and audit logs
  • Windows servers and workstations
  • Existing endpoint security tools

Then we tuned it for law-firm-specific risks:

  • Logins from new countries or impossible travel patterns
  • Multiple failed logins followed by a successful one
  • New inbox rules that forward mail externally
  • Changes to MFA methods or disabled MFA on key accounts
  • Admin role assignments and privileged mailbox access

Instead of a pile of raw logs, the firm now had a system that could raise its hand when something didnt look right.

2. Email Security Gateway in Front of Microsoft 365

Next, we put an email security gateway (Proxmox Mail Gateway) in front of Microsoft 365.

That gave us the ability to:

  • Filter spam, malware, and known phishing campaigns
  • Block high-risk attachment types
  • Add clear external sender banners to cut down on impersonation
  • Quarantine and track messages in one place

For a firm that lives in Outlook all day, this was a big piece of their business email compromise defense.

3. Automated Patching and Health Monitoring

We also needed to shrink the attack surface on their endpoints.

We:

  • Deployed an RMM platform to all firm workstations and servers
  • Turned on automated patch management for Windows and common third-party apps
  • Set up health and performance monitoring for key systems

Less well patch it someday, more we know where we stand.

4. 24/7 Monitoring and Incident Response

Technology alone wasnt the answer. Someone had to watch it.

Through Beshore ITs Security Operations service, the firm now had:

  • 24/7 monitoring of SIEM alerts and email security events
  • AI-assisted triage to prioritize real issues over noise
  • Clear, documented incident response playbooks for account compromise, ransomware indicators, and suspicious email forwarding or rule changes

When a high-severity alert fires, our process is straightforward:

  1. Investigate the event in context
  2. Contain it where possible (account lockout, token revocation, etc.)
  3. Notify firm leadership in plain English
  4. Document what happened and how it was resolved

The Results

Within a few months, the environment felt very different  not because it was perfect, but because it was visible.

Hard Numbers (First 69 Months)

  • 400,000+ security events analyzed monthly through the SIEM
  • 75 high-severity alerts triaged and investigated
  • 3,600+ suspicious login events reviewed (unusual locations, failed attempts, etc.)
  • 0 successful phishing incidents or confirmed account takeovers since go-live
  • Multiple attempted BEC-style attacks detected and blocked

The nagging feeling was replaced with a straightforward story: heres whats in place, heres what were watching, and heres what weve stopped so far.

Day-to-Day Impact

  • Partners finally had a clear answer to: Whats watching our email and logins?
  • Leadership received short, understandable summaries when something suspicious happened
  • Workstations and servers moved from whenever we remember patching to documented, automated patch compliance

In the Firms Own Words

Before Beshore IT, our security posture was basically hope and good intentions. We had Microsoft 365, antivirus, and a lot of trust. What we didnt have was visibility.

Now, when we hear about another law firm getting hit with a wire fraud or email compromise story, we know someone is actively watching for the same tactics in our environment. We get alerts, explanations, and clear next steps  not just vague were looking into it emails.

Beshore IT gave us the confidence that if someone tries to get into our systems, it wont go unnoticed.
 Managing Partner, 21-person regional law firm in Southern California

The Bottom Line

By combining Wazuh SIEM, an email security gateway, automated patch management, and 24/7 monitoring, this firm went from:

We hope were okay.

to:

We know whats being watched, whats been blocked, and what to do if something slips through.

For a law firm where email, trust, and money all flow through the same systems, that peace of mind isnt just a nice-to-have  its part of protecting the business.

If your firm has that same nagging feeling about email and account security, youre not alone. The good news: theres a clear, practical way to fix it.