Register today for Zero Trust World 2026!
Contact us
833-292-7732
BACK TO BLOGS Back to Press Releases
How RumbergerKirk Stopped a Business Email Compromise in Minutes with ThreatLocker
September 17, 2025

From click to containment: How RumbergerKirk stopped a business email compromise in minutes with ThreatLocker

Written by:

Table of contents

Text Link

When a business email compromise (BEC) slipped past the inbox, Avi Solomon, Chief Information Officer of RumbergerKirk a full-service law firm specializing in litigation defense, leveraged the ThreatLocker® Security Stack with both speed and proactivity to locate the danger, block the risk, and neutralize the threat enterprise-wide in moments.

When a legitimate email becomes a threat

The email looked harmless. It came from a legitimate contact: someone Avi Solomon’s law firm worked with regularly. But the message had been compromised. Hidden inside was a link to a malicious site, the first stop in a business email compromise (BEC) chain.

A narrow window to respond

“The email was from a legitimate source, but the content wasn’t,” Solomon explained. “It contained a link to a malicious website. When clicking the link, it redirected to another malicious website that asked the user for their credentials.”

The scope was dangerous. Numerous employees received the email. One user clicked through to the credential-harvesting screen before reporting it. That quick alert gave Solomon a narrow window to act.

Rapid response with ThreatLocker® Security Stack

Time was critical. If even one more employee followed the link, the firm’s exposure could multiply. Solomon immediately turned to the ThreatLocker Security Stack, starting with Unified Audit.

Using Unified Audit for instant visibility

“I used Unified Audit to quickly see if anyone tried clicking a link to the address that was in the email,” Solomon said. “I could see the one user who had gone to the address, and I could also see that nobody else had tried to click the link yet. That meant they either ignored the email or hadn’t had a chance to click it.”

Within moments, he built a response.

Blocking malicious domains with Network Control

“I immediately created and deployed a Network Control policy at the org level to block anyone attempting to go to either of the bad domains. Within moments, those addresses were no longer valid on any computer in my enterprise, whether local or remote”.

Visibility, control, and confirmation

Blocking the threat wasn’t enough. Solomon also needed confirmation that the danger was truly contained. Again, Unified Audit gave him instant assurance.

“I looked at Unified Audit to verify nobody else had gone to those websites and was secure in knowing that the email was, for all practical purposes, neutralized. Additionally, I could see if anyone even attempted to go to those sites and were blocked.”

To close the loop, he checked the email gateway logs to confirm exactly how many people had received the message. That step was for his own awareness, but the real containment was already done: the bad links were dead across the entire enterprise.

More than luck: Layered Zero Trust security

While one employee did reach the credential prompt, other layers of security prevented further compromise. Still, Solomon knows it only takes one failed block to cause a breach.

“Within moments of knowing about the malicious email, I was able to shut down the risk, enterprise-wide, regardless of whether the person was on network or working remotely. I was able to understand the level of risk quickly and confirm the risk was mitigated.”

This outcome illustrates the power of the ThreatLocker Security Stack:

  • Unified Audit for real-time visibility of attempted connections.
  • Network Control to block malicious domains instantly, everywhere.
  • Application Allowlisting and Ringfencing™ to stop malicious executables and contain trusted apps.
  • Additional layers like Storage Control, Elevation Control, Detect, and Cloud Detect to keep tightening the attack surface.

The takeaway: Confidence in containment

Business email compromise continues to rise, and attackers count on speed, hoping a few clicks will be enough to slip past defenses. In this case, ThreatLocker gave Solomon the speed advantage. He had the visibility to know who clicked, the control to block the domains instantly, and the assurance that the threat was contained across the entire organization.

That combination turned a potential incident into a brief and controlled situation.

See how the ThreatLocker Security Stack can give your organization the same speed, visibility, and control. Request a demo today.

ABOUT THE AUTHOR

TAKE CONTROL OF YOUR ORGANIZATION'S SECURITY

Request your 30-day trial to the entire ThreatLocker platform today.

Try ThreatLocker

Ready to try out the ThreatLocker® platform?

Request a free 30-day trial today and see how ThreatLocker can take your organization's security to the next level.

Click X to close