A significant data breach involving DocketWise, a prominent immigration case management platform, has resulted in the exposure of sensitive personal and financial information belonging to approximately 143,000 individuals. The incident was traced back to unauthorized access within third-party partner repositories, underscoring the fragility of the digital supply chain.
For defenders, this is not merely a headline; it is a critical indicator of risk. The compromised data includes Social Security numbers (SSN), financial details, and medical data. This specific combination creates a high-value target for identity theft and synthetic fraud. If your organization utilizes DocketWise or integrates with similar legal-tech SaaS providers, you must assume exposure and initiate immediate incident response (IR) protocols, specifically focusing on data leakage and third-party privilege escalation.
Technical Analysis
While the specific CVE has not been disclosed—and this incident appears to be a configuration or credential-based compromise rather than a software vulnerability—the attack vector provides critical insight for defensive posture.
- Attack Vector: Third-Party Supply Chain / Unauthorized Repository Access. The attackers did not necessarily breach DocketWise’s core application firewall directly but accessed data stored in partner-connected repositories. This suggests excessive trust permissions or weak authentication controls on integrated endpoints.
- Data at Risk:
- PII: Full names, physical addresses, SSNs.
- Financial: Banking details or transaction histories.
- PHI: Medical data (triggering HIPAA implications for covered entities).
- Exploitation Status: Confirmed active exploitation resulting in data exfiltration. This is not a theoretical Proof of Concept (PoC); the breach has occurred, and the data is likely in circulation.
From a defender's perspective, the "risk" here is twofold:
- Direct Impact: If you are a DocketWise client, your data is likely part of the 143,000 records.
- Supply Chain Risk: If you are a law firm or entity sharing data with partners using DocketWise, your perimeter has effectively been bypassed via a trusted relationship.
The attack chain likely involved:
- Initial Access: Compromise of third-party credentials or exploitation of a misconfigured API/storage bucket associated with the partner.
- Discovery: Enumeration of accessible repositories within the shared ecosystem.
- Collection: Aggregation of PII/PHI from structured databases or document stores.
- Exfiltration: Bulk transfer of data to an attacker-controlled server.
Detection & Response
Given the nature of this breach (data exfiltration via third-party access), defenders must hunt for signs of Data Staging and Unusual Web Access patterns. Since the attacker accessed third-party repositories, we look for tools commonly used to scrape or bulk-download data, as well as anomalous authentication attempts to the DocketWise platform or associated SSO identities.
SIGMA Rules
The following rules detect potential data staging activity (compression/archiving of large data sets) and the use of command-line tools often associated with web scraping or unauthorized API interaction.
---
title: Potential Data Staging via Mass Archiving
id: 1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d
status: experimental
description: Detects mass creation of archive files (zip, rar, 7z) often used during data staging prior to exfiltration. High frequency suggests automated scraping.
references:
- https://attack.mitre.org/techniques/T1560/
author: Security Arsenal
date: 2025/04/08
tags:
- attack.collection
- attack.t1560.001
logsource:
category: file_creation
product: windows
detection:
selection:
TargetFilename|contains:
- '.zip'
- '.rar'
- '.7z'
filter_generic:
TargetFilename|contains:
- '\\AppData\\Local\\Temp\'
- '\\AppData\\Local\\Microsoft\\Windows\\INetCache\'
timeframe: 5m
condition: selection and not filter_generic | count() > 5
falsepositives:
- Legitimate user backups or software installations
level: high
---
title: Suspicious PowerShell Web Request Activity
id: 2b3c4d5e-6f7a-8b9c-0d1e-2f3a4b5c6d7e
status: experimental
description: Detects PowerShell usage of Invoke-WebRequest or Invoke-RestMethod, which may be used to interact with APIs to scrape data like DocketWise records.
references:
- https://attack.mitre.org/techniques/T1059/001/
author: Security Arsenal
date: 2025/04/08
tags:
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\\powershell.exe'
- '\\pwsh.exe'
CommandLine|contains:
- 'Invoke-WebRequest'
- 'Invoke-RestMethod'
- 'wget'
- 'curl'
condition: selection
falsepositives:
- System management scripts
level: medium
Microsoft Sentinel / Defender KQL
This KQL query hunts for anomalous sign-in activities to DocketWise (assuming SSO via Entra ID/Azure AD) or high-volume data transfer which could indicate exfiltration from the partner repository.
// Hunt for anomalous sign-ins to DocketWise or high-risk SaaS apps
// Adjust AppId to match your DocketWise Enterprise Application ID in Entra ID
SigninLogs
| where AppId in (\"<DocketWise-App-ID>\", \"<Partner-App-ID>\")
| summarize Count = count(), Locations = makeset(Location), IPs = makeset(IPAddress) by UserPrincipalName, ResultType
| where ResultType == 0 // Success
| where Count > 50 // Threshold for high volume access
| extend RiskScore = iff(array_length(IPs) > 3, \"High\", \"Medium\")
| project UserPrincipalName, Count, Locations, IPs, RiskScore, Timestamp = now()
// Hunt for potential data exfiltration via unusual upload volumes (Proxy/ Firewall logs)
// Replace 'DocketWiseDomain' with actual domains used by the partner
DeviceNetworkEvents
| where RemoteUrl contains \"docketwise\" or RemoteUrl contains \"partner-repository-domain\"
| where ActionType == \"ConnectionInitiated\" and InitiatingProcessFileSize > 0
| summarize SentBytes = sum(SentBytes), ReceivedBytes = sum(ReceivedBytes) by DeviceName, InitiatingProcessAccountName, RemoteUrl
| where SentBytes > 5000000 // 5MB threshold
Velociraptor VQL
This artifact hunts for file system indicators of data staging, specifically looking for recently created compressed archives in user directories or temp folders.
-- Hunt for recently created archive files that may indicate staging
SELECT FullPath, Size, Mtime, Mode
FROM glob(globs=\"*/**/*.zip\", root=\"/\")
WHERE Mtime > now() - 24h
AND (FullPath =~ \"C:\\\Users\\\" OR FullPath =~ \"/tmp/\")
-- Exclude known software paths to reduce noise
AND NOT FullPath =~ \"Program Files\"
AND NOT FullPath =~ \"AppData\\\Local\\\Microsoft\"
Remediation Script (PowerShell)
Since this is a cloud-breach facilitated via third-party access, local patching is not applicable. The following PowerShell script assists IR teams in auditing local workstations for signs that a user's credentials may have been scraped (e.g., looking for recent cookie/database dumps) or that data was staged locally before upload.
# Audit Script: Check for recent data staging artifacts and potential token theft
# Run as Administrator
Write-Host \"[+] Initiating DocketWise Breach Local Audit...\" -ForegroundColor Cyan
# 1. Check for recently created ZIP files in User Profiles (Data Staging)
Write-Host \"[*] Checking for recently created archives in user profiles...\" -ForegroundColor Yellow
$zipFiles = Get-ChildItem -Path \"C:\\Users\\" -Recurse -Include *.zip, *.rar, *.7z -ErrorAction SilentlyContinue |
Where-Object { $_.LastWriteTime -gt (Get-Date).AddDays(-1) }
if ($zipFiles) {
Write-Host \"[!] ALERT: Found recent archives:\" -ForegroundColor Red
$zipFiles | Select-Object FullName, LastWriteTime, Length | Format-Table -AutoSize
} else {
Write-Host \"[-] No recent archives found.\" -ForegroundColor Green
}
# 2. Check for suspicious process executions (Web Scraping tools)
Write-Host \"[*] Checking for suspicious process executions in last 24h...\" -ForegroundColor Yellow
$suspiciousProcs = @(\"curl.exe\", \"wget.exe\", \"rclone.exe\")
$events = Get-WinEvent -LogName Security -FilterXPath \"*[System[(EventID=4688)]] and *[EventData[Data[@Name='NewProcessName']]]\" -ErrorAction SilentlyContinue |
Where-Object { $_.TimeCreated -gt (Get-Date).AddHours(-24) }
foreach ($proc in $suspiciousProcs) {
$hits = $events | Where-Object { $_.Message -like \"*$proc*\" }
if ($hits) {
Write-Host \"[!] ALERT: Found execution of $proc\" -ForegroundColor Red
$hits | Select-Object TimeCreated, Message | Format-List
}
}
Write-Host \"[+] Audit Complete.\" -ForegroundColor Cyan
Remediation
Immediate containment and eradication are required. Since the breach occurred at the vendor/third-party level, remediation focuses on identity protection and vendor risk management.
- Forced Credential Reset: All users with DocketWise accounts must force a password reset immediately. Assume that credentials cached in the partner repositories were exposed.
- Enable MFA (Multi-Factor Authentication): Strictly enforce MFA for all DocketWise access. If the platform supports hardware keys (FIDO2), prioritize this implementation over SMS/TOTP.
- Vendor Audit & Isolation: Request a detailed incident report from DocketWise. If your firm uses direct API integrations with DocketWise, rotate those API keys immediately. Revoke third-party access rights that are not strictly necessary (Least Privilege).
- Credit Monitoring & Notifications: Given the exposure of SSNs and medical data, notify the 143,000 affected individuals in compliance with state laws and HIPAA (if applicable). Offer 24 months of credit monitoring and identity theft protection services.
- Data Sanitization: Review what data was uploaded to DocketWise. If sensitive files are no longer needed, securely delete them from the platform to reduce blast radius for future attacks.
Related Resources
Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.