The Receptionist Is Your Last Line of Defense: Silent Ransom Group and the Return of Physical Intrusion

How UNC3753 Bypassed Every Firewall, Every MFA, and Every EDR Tool — by Walking Through the Front Door

Analysis | June 2026

The Threat That No Antivirus Can Stop

Somewhere between January and May 2026, an employee at a US law firm received a phone call from what sounded like their IT department. There was a billing issue. A data migration was pending. Could the employee spare fifteen minutes to verify something on their computer? The voice was professional, knowledgeable, unhurried. It mentioned specific internal systems by name. It knew the firm's technology stack.

What the employee did not know was that the caller was a member of UNC3753 — also tracked by researchers and law enforcement as Silent Ransom Group (SRG), Luna Moth, and Chatty Spider. Within a single business day, the firm's most sensitive client files were gone. Within thirty minutes of the attackers leaving the environment, a threatening email arrived demanding payment within seventy-two hours. No malware had been installed. No firewall rule had been violated. No intrusion detection system had fired.

According to a June 2026 report by Mandiant and Google's Threat Intelligence Group (GTIG), and a concurrent FBI FLASH advisory, this scenario played out at dozens of organizations across legal, professional, and financial services between January and May 2026. In some of those cases, when the telephone approach failed, something even more audacious happened: a person arrived at the firm's physical office, claimed to be IT support staff, said they needed to image a device or create local backups for security reasons, and plugged a USB drive into a computer.

This is not a metaphor for sophisticated social engineering. This is a person. In your lobby. At your front desk.

The Group: Conti's Ghost

UNC3753 did not emerge from nowhere. Its origins trace directly to the Conti ransomware syndicate, one of the most destructive and best-organized cybercrime enterprises in history — responsible for over $180 million in ransomware extortion before its collapse in 2022 following internal leaks and international law enforcement pressure.

When Conti dissolved, its membership did not retire. They redistributed. Some joined LockBit affiliates. Others formed new groups. UNC3753 inherited Conti's operational discipline, its understanding of corporate targets, and its social engineering playbook — but shed the technical complexity of ransomware encryption in favor of something operationally leaner and legally harder to prosecute.

The group traces back to UNC2686, which conducted "BazarCall" style campaigns from 2021 — using fake software renewal emails and billing lures to trick targets into calling attacker-controlled numbers, where trained operators would guide victims through installing malware under the guise of canceling a subscription.

Silent Ransom Group retained that core innovation — the weaponized phone call — and refined it into a pure extortion model. No encryption. No ransomware binary. No malware in the traditional sense. Just a phone call, a remote management tool, and a deadline. The group has consistently targeted US-based law firms since spring 2023, expanding into financial services and broader professional services through 2025 and 2026.

Why Law Firms? The Deliberate Target Logic

Legal services firms represent high-value targets for extortion actors because they maintain concentrated repositories of extremely sensitive client information — transaction files, merger and acquisition plans, client trade secrets, and corporate regulatory reports — according to Mandiant's analysis.

But the targeting logic goes deeper than data sensitivity. Law firms are uniquely vulnerable to the specific pressure UNC3753 applies, for three structural reasons:

Attorney-client privilege creates a confidentiality obligation that becomes an attack surface. When stolen data includes client communications, the firm faces not just the reputational damage of a breach — it faces potential professional conduct violations, bar association proceedings, and civil liability to clients whose privileged communications were exposed. Paying quietly to prevent publication is not merely financially rational; it may feel professionally obligatory.

Law firms face regulatory exposure that amplifies extortion leverage. The extortion letters explicitly emphasize that a leak will compromise client trust, invite substantial regulatory fines, and suggest that external clients will sue the victim organization for data mishandling. For a firm already navigating state bar data protection requirements and, increasingly, sectoral regulators like the SEC for firms serving financial clients, that is not empty rhetoric.

Law firms have historically underinvested in cybersecurity relative to the value of data they hold. Unlike financial institutions subject to years of mandatory cybersecurity examination by regulators, law firms — particularly mid-size and boutique practices — have frequently treated cybersecurity as an IT cost rather than an existential risk management function. UNC3753 knows this, and prices its extortion accordingly.

The extortion letters are carefully calibrated to that vulnerability. "You will receive claims from individuals, and legal entities for information leakage and breach of contracts," one letter warned. "Your current deals will be terminated. Journalists and others will dig into your documents, finding inconsistencies or violations in them. Your organization will lose its reputation, shares will fall in price, and your organization will be forced to close." This is not merely a financial threat — it is a surgical description of existential reputational harm, delivered thirty minutes after the data has already left the building.

The Kill Chain: A Business Day From Hello to Extortion

The UNC3753 campaign lifecycle reflects what Mandiant describes as an "optimized, fast-tempo operational model." In many investigated incidents, the entire attack sequence — from initial target contact to data theft and extortion — occurred within a single business day. In some incidents, searching, staging, and exfiltrating files was completed in under an hour. Understanding each step is essential to understanding where defenses must be placed.

Phase 1: The Priming Email

The campaign initiates with benign, invoice-themed emails sent from actor-controlled consumer accounts to raise security concerns without using malicious links or payloads. These emails are carefully designed to be innocuous — they do not contain attachments that trigger email security tools, links to phishing pages, or unusual sending domains. Their sole purpose is to place a mental frame in the recipient's mind: there is an outstanding invoice, a billing discrepancy, a data migration pending. When the follow-up call comes, the context has been established.

This is psychologically sophisticated. Security awareness training teaches people to be suspicious of unexpected attachments and links. It does not typically train people to be suspicious of an email with no attachment, followed by a phone call from someone who sounds like IT support.

Phase 2: The Vishing Call — Where the Breach Begins

The core intrusion vector is voice phishing (vishing). Using pretexts such as data migration or invoice-related emails, the threat actors initiate phone conversations posing as IT support and convince targets to host screen-sharing sessions and download remote monitoring and management utilities.

The callers are trained, professional, and prepared. They demonstrate knowledge of the firm's IT environment — system names, software packages, sometimes even the names of actual IT staff members obtained through LinkedIn reconnaissance. They speak with appropriate authority and urgency without being aggressive. They explain that the action required is routine: share your screen so we can verify the issue, or download this tool so we can check something remotely.

The tools they direct victims to download — AnyDesk, Zoho Assist, and similar RMM applications — are freely downloadable and widely used for legitimate IT support. Most endpoint security tools do not flag them. Most firms have no policy preventing employees from installing them. Once installed, they create a persistent backdoor that looks completely normal to security monitoring.

Phase 3: Data Identification and Exfiltration

Once inside the environment via RMM access or screen-sharing, the attackers either directly conduct searches to locate and exfiltrate highly sensitive data, or manipulate the victim into executing these actions on their behalf. The group conducts real-time searches across document management systems — iManage, SharePoint, internal file shares — targeting merger documents, client correspondence, financial records, and regulatory filings. UNC3753 is also known to abuse msiexec.exe to silently install MSI-packaged RMM agents, and subsequently clears Security, System, and Application event logs using wevtutil cl — eliminating forensic evidence of its presence.

In some incidents, the entire data collection phase — identifying, staging, archiving, and exfiltrating the target files — was complete in under an hour.

Phase 4: The Physical Escalation

Here is where UNC3753's 2026 campaign crossed a threshold that has alarmed the security community. When digital social engineering fails — when a target is too security-conscious to download an RMM tool, when a firm has adequate caller verification controls, when the vishing attempt is recognized and terminated — the group does not simply move on to the next target. In some cases, it escalates physically.

According to the FBI FLASH advisory and corroborated by GTIG, Silent Ransom Group members have been walking into law firms' physical offices as recently as spring 2026. Once on-site, they claim to be IT support staff needing to image a device or create local backups for security reasons. If that claim is accepted, they plug a USB drive into a computer and steal data directly.

The attribution carries a caveat: GTIG assesses that these physical intrusions are likely associated with UNC3753 based on structural, timeline, and targeting overlaps, but limited forensic evidence and the absence of a subsequent extortion attempt in some cases prevent formal attribution. The behavioral and operational consistencies are, however, strong enough for both Mandiant and the FBI to treat this as part of the same campaign.

Phase 5: The Thirty-Minute Extortion Clock

Within thirty minutes of exiting a victim's environment, UNC3753 sends a threatening email demanding a response within three days. The speed is deliberate: it forecloses the victim's ability to fully assess the breach, consult legal counsel, engage incident response, or develop a considered negotiating position before the pressure begins. If ignored, the group threatens to contact employees, clients, and the media directly, and to publish stolen files on a data leak site called LEAKEDDATA.

The three-day clock, combined with the specificity of the threatened consequences — regulatory fines, client lawsuits, reputational destruction, coverage by journalists — is engineered to produce a payment decision under maximum duress, before the victim has time to determine whether the threatened data is actually sensitive enough to extort or whether the attacker is bluffing on its leverage.

What This Attack Breaks in the Standard Security Model

The UNC3753 campaign is significant not just as a threat but as a systematic demonstration of the gaps in how organizations conceptualize cybersecurity. Each layer of the standard defensive architecture is either bypassed or irrelevant:

Firewalls and network security appliances — irrelevant. No malicious inbound traffic. The attacker is invited in through a legitimate RMM tool or physically present.

Endpoint Detection and Response (EDR) — ineffective against legitimate tools. AnyDesk, Zoho Assist, and similar RMM applications are not malware and are not flagged by EDR signatures.

Multi-factor authentication — bypassed entirely in the remote access vector. The attacker is not attempting to authenticate to systems; the victim authenticates on their behalf by being manipulated into performing actions through a screen share.

Email security gateways — irrelevant. The initial priming emails contain no malicious content, no links, no attachments.

Security Information and Event Management (SIEM) — neutered in post-intrusion phase by log clearing using wevtutil cl.

Data Loss Prevention (DLP) — potentially effective but frequently not deployed comprehensively. DLP covering document management systems like iManage and SharePoint would potentially flag bulk file searches and mass downloads — but only if configured with appropriate sensitivity to large-scale data access events by authenticated users.

The only controls that reliably interrupt the UNC3753 kill chain are human verification procedures and explicit policy controls on RMM tools. These are the cheapest and most neglected controls in most organizations' security programs.

The Defense Mandate: What Organizations Must Do Differently

Mandiant's remediation guidance is the most operationally specific part of the report. It addresses both the digital and physical attack surface:

Block unauthorized RMM tools via application control policies. AnyDesk, TeamViewer, Zoho Assist, and similar tools should not be installable by end users without explicit authorization. Application control lists should permit only IT-approved remote access solutions, and those solutions should require corporate device enrollment and MFA.

Enforce conditional access so only corporate devices can reach VDI or VPN. If an attacker has convinced an employee to download a tool on a personal device, conditional access policies that restrict network and application access to enrolled, managed corporate devices create a barrier to lateral movement.

Disable USB mass storage read/write across all endpoints. This directly addresses the physical intrusion vector. Group Policy or endpoint management platforms can enforce this centrally. A visitor plugging a USB drive into a managed endpoint should achieve nothing.

Configure real-time alerts in iManage and SharePoint for bulk file searches. The data exfiltration phase involves mass searching and downloading. Document management systems have the native capability to log and alert on anomalous access patterns — large-volume searches, downloading of files outside normal working patterns, access to matter types inconsistent with the authenticated user's role. These alerts are frequently not configured.

Require MFA on document repositories — separate from network authentication. Even if an attacker has achieved remote access through an RMM tool running as the victim's authenticated user, MFA on the document management system itself creates an additional barrier to the data they are targeting.

Train staff specifically on vishing tactics. Generic security awareness training is insufficient. Staff need to be specifically trained to recognize the priming email pattern, understand that IT support will not call them unsolicited asking them to download software, know the correct procedure for verifying IT support identity (call back through a known number, verify against a work order), and understand that sharing a screen with any external party requires prior authorization.

Physical security protocols for the front desk. Copy and log every visitor ID. Verify all technicians against pre-scheduled work orders with the parent organization. Require escorts at all times. Any person claiming to be IT support who is not on a pre-authorized work order should be denied access and the report made to security and IT leadership immediately. This sounds procedurally obvious. In practice, most professional services firms have no formal visitor verification protocol beyond signing a guest log.

The Broader Signal: The Threat Model Has Changed

The significance of the UNC3753 campaign extends beyond its immediate victim set. It represents a maturation in the criminal threat landscape that security architects have been warning about for years but that has rarely been seen at this operational scale: the convergence of social engineering, technical access, and physical intrusion into a single, integrated attack campaign.

Previous physical intrusion incidents in the cybersecurity record — the USB-dropping campaigns documented by CISA, isolated incidents of disgruntled insiders or financially motivated walk-ins — were treated as edge cases, too operationally complex to scale. UNC3753 appears to have demonstrated that physical intrusion can be operationalized as a systematic fallback within a larger extortion campaign, at least against the class of professional services organizations that lack robust visitor verification.

The underlying driver is economics. When a law firm's client files are worth millions in potential extortion leverage — when the data on a single matter file could expose a pending acquisition, a regulatory investigation, a client's personal liability — the cost-benefit calculation for physical intrusion is favorable to the attacker. A trained operator, a convincing cover story, a USB drive, and access to a building where the receptionist has never been trained to verify IT credentials: this combination, in the right target environment, is cheaper and more reliable than a sophisticated technical attack.

As threat groups recognize this, the pressure on physical security programs at professional services firms will intensify. The security operations center monitoring network traffic cannot see a USB drive being plugged into a machine in a conference room. The endpoint agent flagging suspicious processes cannot stop an employee who has been convinced — by a professional social engineer with a work order template and a polo shirt — that the person at their desk is supposed to be there.

The firewall is not the problem. The receptionist, the employee who took the call, the person who let the IT support person into the conference room — they are the last line of defense in this attack model. Most organizations have invested hundreds of thousands of dollars in the former and almost nothing in training the latter.

That calculation is no longer sustainable.

Conclusion: The Human Perimeter

The UNC3753 campaign against US law firms is a case study in adversarial adaptation. Facing increasingly hardened technical perimeters — better EDR, broader MFA deployment, more capable email security — a sophisticated criminal group responded not by finding a new technical vulnerability but by recognizing that human beings are reliably the weakest link in any security architecture and systematically building a campaign designed to exploit that weakness at scale.

The physical intrusion element is the starkest illustration of where this logic leads. When the phone call fails, send a person. When the digital perimeter holds, walk around it.

No SIEM catches this. No firewall blocks it. No antivirus detects a human being with a USB drive.

The organizations that will weather this threat model are not necessarily the ones with the most sophisticated technical architecture — they are the ones that have invested as seriously in their human security layer as in their technical one. That means training that goes beyond phishing simulations. It means visitor verification protocols that are actually enforced. It means a culture where an employee who declines to download a tool recommended by an unverified caller is praised, not embarrassed.

It means treating the receptionist's judgment as a security control.

Sources: Google Cloud / Mandiant — "Ongoing Targeted Campaign Against US Law Firms" (June 2026); FBI FLASH Advisory — Silent Ransom Group, May 26, 2026; BleepingComputer; Dark Reading; The Register; The Hacker News; Security Affairs; GBHackers; Cybersecurity News; Halcyon Threat Intelligence.