Confidential — Attorney Work Product
Cole & Whitman LLP · Q2 2026 Quarterly Briefing
AttorneyArmor Score
out of 100
Finding Distribution
The firm's posture improved meaningfully this quarter following remediation of nine prior-period findings. Two newly discovered critical exposures require action inside 24 hours to remain in policy with cyber-insurance underwriter Beazley.
Cole & Whitman's external attack surface remains in line with comparable AmLaw 200 practices, with notable strength in endpoint detection coverage and outbound email authentication for the primary domain. The firm continues to benefit from the 2025 migration to Microsoft 365 E5 and the deployment of conditional access for the litigation group.
Two findings classified as critical require partner-level attention this week. The first — an exposed Exchange admin portal without enforced MFA — would, if exploited, provide a quiet path into mailboxes belonging to the M&A practice. The second concerns an inadvertently public file share containing material from active discovery. Both are remediable within a single business day and do not require capital expenditure.
We recommend the firm prioritize three workstreams over the next 30 days: (1) emergency remediation of the two critical findings, (2) escalation of DMARC enforcement to p=reject, and (3) closure of the identity-lifecycle gap created by the manual offboarding process. Completion of these three items will move the AttorneyArmor Score from 76 to a projected 88.
Assets discovered through passive reconnaissance, certificate transparency logs, and authenticated tenant introspection.
Each finding is written for partner-level consumption with a defensible remediation path and contractual SLA.
Affected Asset
mail.[REDACTED].com
Reference
CVE-2024-21410
Business Impact
Privileged credential theft enabling silent mailbox access for partners handling M&A deal flow. Direct violation of ABA Formal Opinion 477R.
Recommended Remediation
Enforce conditional access requiring MFA + compliant device for all OWA/ECP endpoints. Restrict /ecp to internal IP space within 24 hours.
Affected Asset
files.[REDACTED].com/discovery/
Reference
Misconfiguration — directory listing enabled
Business Impact
1,247 documents from active matters discoverable via Google dorking. Includes deposition transcripts, expert reports, and protective-order material.
Recommended Remediation
Disable autoindex, add X-Robots-Tag: noindex, rotate any pre-signed URLs, and submit Google Search Console removal requests.
Affected Asset
remote.[REDACTED].com
Reference
CVE-2023-4966 (CitrixBleed)
Business Impact
Session-token leakage allows attackers to hijack authenticated remote-desktop sessions for attorneys working from co-counsel offices.
Recommended Remediation
Upgrade NetScaler to 14.1-21.57 build or later. Invalidate all active sessions post-upgrade and rotate ICA credentials.
Affected Asset
[REDACTED].com (root domain)
Reference
Email authentication misconfiguration
Business Impact
Threat actors can spoof partner-level senders. Past 30 days: 14 phishing attempts impersonating the managing partner caught by external filters.
Recommended Remediation
Stage DMARC to p=quarantine for 14 days, then escalate to p=reject with rua/ruf forensic reporting enabled.
Affected Asset
Azure AD tenant
Reference
Identity lifecycle gap
Business Impact
Offboarded associates (departed 47–112 days ago) still hold valid VPN certificates. Violates SOC 2 CC6.2 access deprovisioning.
Recommended Remediation
Revoke certificates, disable accounts, and enable HR-system-triggered automated offboarding via SCIM provisioning.
Affected Asset
portal.[REDACTED].com
Reference
Authentication weakness
Business Impact
Brute-force feasible against client logins. 22 portal accounts currently use passwords appearing in HaveIBeenPwned breach corpus.
Recommended Remediation
Raise minimum to 14 characters, screen against breached-password API, and offer SSO via clients' own identity providers.
Affected Asset
www.[REDACTED].com
Reference
Information disclosure
Business Impact
Reconnaissance accelerant. Reduces attacker effort to identify exploitable versions of nginx and WordPress.
Recommended Remediation
Set server_tokens off in nginx; remove generator meta tag from WordPress theme.
Mapped to the frameworks your underwriters and clients ask about.
| Framework | Status | Score |
|---|---|---|
| ABA Model Rule 1.6 | At Risk | 78 |
| SOC 2 Type II — CC6 (Access) | At Risk | 71 |
| NIST CSF 2.0 | Compliant | 86 |
| GDPR Art. 32 (Security of Processing) | Compliant | 89 |
| NY DFS 23 NYCRR 500 | At Risk | 74 |
AttorneyArmor Score has improved by 18 points since the firm engaged in January.
9 findings closed this quarter, 7 newly identified.
A complimentary baseline assessment takes 12 minutes and produces a redacted preview of the report above, scoped to your domains.
© 2026 AttorneyArmor, Inc. Sample report for demonstration only. Confidential and prepared as attorney work product when delivered to a client firm.
