LastPass and Bitwarden Users Targeted by Phishing Campaign


bitwarden lastpass phishing
Image credit: Bitwarden, Lastpass

The ongoing LastPass phishing campaign uses fake security policy notices to trick users into visiting fraudulent websites and downloading suspicious files. LastPass says the emails did not come from its systems and that attackers have not compromised its infrastructure through this campaign.

The warning follows a separate incident in which LastPass confirmed customer data exposure connected to the recent Klue supply chain attack.

Fake LastPass Policy Update Emails Target Users

The phishing emails imitate corporate communications and claim that LastPass has updated its service terms and security policies.

Attackers send the messages from addresses using the @lastpassnewsletter.com domain. The emails describe supposed platform changes, including enhanced SaaS monitoring, administrator master password reset options, and improvements to the LastPass admin console.

A button labeled “Review & Access Terms” directs recipients to a fraudulent website instead of an official LastPass page.

Phishing Website Impersonates DocuSign

The malicious landing page copies the appearance of DocuSign, a legitimate electronic document signing service.

Attackers use the domain lastpasscompliance[.]com to host the phishing page. Microsoft Defender for Office 365 and Cloudflare identified the domain as malicious, and the website has since gone offline.

The use of a DocuSign-themed page may make the request appear more credible because companies commonly use electronic signature platforms to distribute policy documents and updated agreements.

Fake Website Distributes a Suspicious File

The fraudulent website prompts visitors to download a file that supposedly works on Windows and macOS.

LastPass has not confirmed the file’s final purpose. It could attempt to steal credentials, install malware, collect browser data, or provide attackers with remote access to an affected device.

Users should not download, open, or run files received through these emails.

Bitwarden Users Face a Similar Phishing Campaign

Attackers are also targeting Bitwarden users with messages that follow almost the same structure, according to a report by BleepingComputer.

The Bitwarden-themed emails come from addresses using the @bitwardennewsletter.com domain. Links inside the messages redirect recipients to bitwardencompliance[.]com.

The matching email domains, compliance-themed websites, and fake policy notices suggest that the same campaign may be impersonating several password management providers.

LastPass Shares Security Guidance

LastPass says it will never ask users to provide their master password through an email, website form, or support request.

Users should confirm account notices through the official LastPass website or application instead of clicking links in unexpected emails. Suspicious messages and websites can also be reported to [email protected].

Warning signs in this campaign include unfamiliar sender domains, urgent policy review requests, unexpected downloads, and links that do not lead to an official LastPass domain.

What Affected LastPass Users Should Do

Anyone who entered credentials on one of the phishing websites should immediately change their LastPass master password from a trusted device.

Affected users should also review their LastPass vault for unauthorized changes and check account activity for unfamiliar devices or login attempts. They should remove unknown trusted devices or active sessions, change passwords for sensitive accounts stored in the vault, replace any reused passwords, and scan their device if they downloaded or opened the suspicious file.

Users should also enable multifactor authentication where available and avoid approving unexpected login or authentication requests.

In other security news, BoryptGrab malware is spreading through 292 fake GitHub repositories, while the Jalisco and OmegaLord phishing kits are targeting Microsoft 365 accounts with MFA bypass techniques.

More about the topics: password manager, Phishing

Readers help support Windows Report. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help Windows Report sustain the editorial team. Read more

User forum

0 messages