Microsoft 365 impersonation protection
SPF, DKIM and DMARC alignment — so a spoofed partner email doesn't reach a client inbox.
Intellix · For Legal Practices
Data protection & external exposure reviews for solicitor firms.
Solicitor firms handle highly sensitive information — medical records, litigation documents, financial details, identity data. Small technical oversights in websites, email systems or DNS configuration can create disproportionate legal and reputational risk. We surface those oversights before they surface elsewhere.
The reality
Three exposures we keep seeing across Irish legal practices.
Email impersonation of a partner
A spoofed message — apparently from a partner, advising a client to redirect a settlement payment to a new account — succeeds because the firm's domain lacks DMARC enforcement. The exposure is in the DNS, not the inbox.
Public exposure of staff usernames
A WordPress site, set up years ago by a web agency, publishes every author's login slug under /wp-json/wp/v2/users. A targeted phishing campaign against named staff becomes trivial.
Intake-form data flowing through a forgotten processor
A 'request a callback' form posts to a third-party service nobody has reviewed in five years. The privacy notice doesn't mention the processor. The form predates the current data-protection regime entirely.
What's in scope
Six focus areas. Externally observable.
Each area is a public-facing exposure that a partner can act on with their existing IT and web suppliers. No system access required.
Website user exposure
WordPress administrator accounts, public author archives and forgotten staff accounts.
WordPress hardening
Public admin paths, plugin currency, outdated themes, exposed login surfaces.
Secure forms & intake
Client-intake and contact forms — TLS, retention, processor disclosure, embedded widgets.
GDPR posture review
Privacy notice alignment with what the site and embedded vendors actually do.
Public attack-surface validation
DNS, certificates, subdomains, look-alike domains, parked-domain risk.
What we will not say
We won't claim what we don't hold.
We are members of the Data Protection Officers Association of Ireland, the British Computer Society and the Irish Computer Society. We are not ISO 27001 certified, and we won't tell you we are. We don't sell "compliance guaranteed". What we do is reduce the surface a regulator, an insurer or an attacker can see — and document it in language your management committee can sign off.
Process
Four trust-first steps. No surprises.
01
Non-Intrusive Review
External only. No logins, no system access, no disruption. We see exactly what a member of the public sees.
02
Plain-English Findings
A short summary an office manager or partner can read in 10 minutes. No CVE numbers, no jargon dump.
03
Remediation Guidance
Owner-mapped: web agency, IT provider, Microsoft 365 admin, DNS provider. We tell you who you should phone for each item.
04
Optional Ongoing Review
A quarterly snapshot keeps the posture you fix today still fixed in six months. Optional, never automatic.
Where we work
Serving legal practices across Ireland.
Dublin · Portlaoise · Kildare · Galway · Shannon · Thurles · Cashel · Limerick · Athlone · Birr · Roscrea · Tipperary Town — and especially the midlands and mid-west, where specialist resources locally are thinner on the ground. The complimentary review is delivered remotely; partner-level conversations are scheduled in person where they add value.
One step
Request a post-launch validation review.
Whether your firm has just refreshed its website, taken on a new managing partner, or simply wants a second pair of eyes — the snapshot is complimentary and the conversation is confidential.