Methodology
Between March and April 2026, we ran non-invasive security assessments on 44 Florida law firm domains. These firms ranged from solo practitioners to 10-attorney offices, spanning real estate, personal injury, estate planning, family law, and business transactions.
Our scans covered:
- DNS analysis — SPF, DKIM, DMARC configuration, zone transfer testing
- Infrastructure discovery — subdomain enumeration, port scanning, service identification
- Software detection — web server, CMS, programming language, and database version identification
- TLS/SSL analysis — certificate validity, protocol versions, cipher strength
- Security headers — HSTS, CSP, X-Frame-Options, and other HTTP security headers
No credentials were used. No login pages were tested. No data was accessed. Every check in our scan is the equivalent of what any person — or attacker — can see from the public internet.
The headline numbers
| Finding | Firms affected | Percentage | |---------|---------------|-----------| | DMARC missing or not enforced | 37 of 44 | 84% | | SPF missing or misconfigured | 19 of 44 | 43% | | At least one exposed database port | 8 of 44 | 18% | | Outdated server software | 22 of 44 | 50% | | Missing critical security headers | 41 of 44 | 93% | | DNS zone transfer exposed | 6 of 44 | 14% |
Finding 1: 84% had no properly configured DMARC
This was the most common and most concerning finding. Of 44 firms scanned:
- 21 firms (48%) had no DMARC record at all
- 16 firms (36%) had DMARC set to p=none (monitor only, no protection)
- 5 firms (11%) had DMARC set to p=quarantine
- 2 firms (5%) had DMARC set to p=reject
Only those last two firms — 5% of the total — had actual protection against email spoofing. The other 42 firms could have their email addresses spoofed by anyone.
To put this in context: any person in the world can send an email that appears to come from 95% of the firms we scanned. The recipient would see the attorney's exact email address in the "from" field with no indication it was forged.
For a real estate firm handling closings with six-figure wire transfers, this is not a theoretical risk. The FBI reports billions in losses annually from business email compromise attacks, with real estate transactions being the single largest category.
Finding 2: Exposed database servers
Eight firms — 18% of those scanned — had database servers directly accessible from the open internet. These were not behind a firewall or VPN. Anyone could attempt a connection.
One Tampa real estate firm had MySQL port 3306 open and accepting connections on its primary server. The database was running MySQL 5.7.44, which reached end of life in October 2023 and no longer receives security patches.
A two-attorney estate planning practice in Naples had both MySQL (3306) and PostgreSQL (5432) ports exposed on the same server. The PostgreSQL instance was running version 11, which reached end of life in November 2023.
To be clear: we did not attempt to authenticate or access any data. But the fact that these ports are open means an attacker can attempt brute-force authentication, exploit known vulnerabilities in the database software, or use the exposed service as a foothold for further attacks.
A properly configured server has these ports firewalled so only the web application can access them internally. There is no legitimate reason for a database server at a law firm to accept connections from the open internet.
Finding 3: Outdated and end-of-life software
Half the firms we scanned — 22 of 44 — were running at least one piece of server software that was significantly outdated or had reached end of life.
The most common outdated software:
- PHP 7.4 — Found on 14 servers. PHP 7.4 reached end of life in November 2022 and has not received security patches for over three years.
- MySQL 5.7 — Found on 6 servers. End of life since October 2023.
- Apache 2.4.37-2.4.51 — Found on 9 servers. Multiple known CVEs in these versions, including vulnerabilities that allow request smuggling and path traversal.
- OpenSSH 7.x-8.x — Found on 11 servers. Several versions affected by the regreSSHion vulnerability (CVE-2024-6387), which allows potential unauthenticated remote code execution.
One Jacksonville personal injury firm was running PHP 5.6 — a version that reached end of life in December 2018, over seven years ago. Every known vulnerability discovered since then remains unpatched on their server.
Finding 4: Unencrypted email protocols
Several firms had email-related ports exposed using unencrypted protocols:
- POP3 (port 110) — 9 firms had unencrypted POP3 accessible. POP3 transmits email passwords in plain text.
- IMAP (port 143) — 7 firms had unencrypted IMAP accessible. Same problem — credentials sent without encryption.
While most modern email clients use the encrypted versions of these protocols (POP3S on port 995, IMAPS on port 993), having the unencrypted ports open means a client or device could be configured to use the insecure version, transmitting credentials that could be intercepted.
Finding 5: DNS zone transfer exposed
Six firms (14%) had DNS servers that allowed zone transfer (AXFR) requests from any source. Zone transfer is a DNS replication mechanism intended only for authorized secondary DNS servers. When exposed to the public, it allows anyone to download the firm's complete DNS records.
This reveals every subdomain, every server, every service — the complete map of the firm's internet-facing infrastructure. For an attacker performing reconnaissance, this is equivalent to being handed the building's floor plans and key inventory.
One Sarasota family law firm had zone transfer enabled on all four of its nameservers, returning over 40 DNS records including internal service subdomains that were not otherwise discoverable.
What this means for law firm clients
If you are a client of a law firm with these vulnerabilities, your communications with your attorney may not be as secure as you assume.
An attacker who can spoof your attorney's email address can:
- Send you fake wire instructions during a real estate closing
- Request sensitive documents using your attorney's identity
- Impersonate your attorney in communications with opposing counsel
- Send you malicious attachments that appear to come from your lawyer
None of these attacks require "hacking" in the traditional sense. They require only sending an email with a forged sender address — something DMARC was specifically designed to prevent.
Why small firms are more vulnerable
Large law firms — the Am Law 100, major regional firms — generally have IT departments, security policies, and the budget for enterprise security tools. They are not immune to attacks, but they have layers of defense.
Small firms typically have:
- No dedicated IT staff. The managing partner handles technology decisions, or they outsource to a local MSP who may or may not understand email authentication.
- No security monitoring. No one is watching for spoofing attempts, scanning for vulnerabilities, or monitoring exposed services.
- Shared hosting environments. Many small firm websites run on shared cPanel hosting where the firm has limited control over server configuration, software updates, and firewall rules.
- No formal security policies. No acceptable use policies, no incident response plan, no data handling procedures. If a breach occurs, there is no playbook.
This does not mean small firms cannot be secure. It means they need tools built for their scale — automated scanning, guided remediation, and continuous monitoring that does not require a security team to operate.
What firms should do immediately
1. Check your DMARC status. Run your domain through a free scanner at kasperashield.com/security-assessment. If your DMARC is missing or set to p=none, fixing it should be your top priority.
2. Close exposed ports. If your server has database ports (3306, 5432, 27017) or unencrypted email ports (110, 143) accessible from the internet, contact your hosting provider immediately. These ports should be firewalled to allow only internal access.
3. Update your software. If you are running PHP 7.4, MySQL 5.7, or any other end-of-life software, you are running on borrowed time. Every day that passes adds new unpatched vulnerabilities.
4. Check your DNS configuration. Zone transfer should be restricted to authorized secondary nameservers only. Your DNS provider can disable public AXFR in their configuration panel.
5. Start monitoring. Security is not a one-time fix. New vulnerabilities are discovered daily. Software versions that are current today will be outdated next year. Continuous monitoring catches problems before attackers do.
Every finding in this report is something an attacker can discover in minutes using freely available tools. The difference between a vulnerability and a breach is often just a matter of whether someone has looked.
