2 min read

Fake LastPass alerts now target Bitwarden too

A phishing campaign is impersonating LastPass and Bitwarden with fake policy updates that lead to fraudulent DocuSign-style pages.

Image: BleepingComputer

LastPass is warning users about an ongoing phishing campaign that sends fake security notices and pushes recipients to fraudulent websites. According to the company, the emails mimic legitimate corporate messages about updated security policies, then direct users to a landing page posing as DocuSign to review a document.

LastPass said its own systems were not compromised, and the phishing emails did not come from its infrastructure, even though the attackers used domains made to look like legitimate company services.

The emails, sent from hello@lastpassnewsletter.com, claim LastPass has introduced service policy changes, including:

  • enhanced SaaS monitoring
  • master password reset options for administrators
  • admin console improvements

Clicking the “Review & Access Terms” button sends users to a fake DocuSign page hosted on lastpasscompliance[.]com. BleepingComputer reports that Microsoft Defender for Office 365 and Cloudflare have flagged the domain as malicious.

Recommended reading

Microsoft makes Entra passkeys the default in September

Fake DocuSign website
Fake DocuSign website

LastPass said it could not confirm the campaign’s end goal, but the spoofed site prompted users to download a file presented as compatible with Windows and macOS. The page also offered live support through a chat box, though it was unclear whether that feature actually worked. At the time of writing, the malicious site had been taken offline.

BleepingComputer also found that Bitwarden users were being targeted with similar messages from hello@bitwardennewsletter.com, which redirected victims to bitwardencompliance[.]com.

This is the latest in a string of phishing campaigns using the LastPass brand. In March, the company warned about fake unauthorized account access alerts built to create urgency through fabricated communication threads. In January, attackers sent fake notices claiming users had 24 hours to back up their vaults because of supposed system maintenance.

LastPass said it will never ask for a master password and told users to report suspicious messages to abuse@lastpass.com. Anyone who entered credentials on a phishing site should change their master password immediately from a trusted device and check their vault for suspicious activity.

article image
article image
Sophia Reynolds

Security Editor

Sophia unpacks the invisible wars happening on our networks. Covering cybersecurity, privacy legislation, and cryptography, she exposes how our data is weaponized and defended. Before joining for(geeks), she spent years as a penetration tester. She's the reason the rest of the team uses physical security keys.

via BleepingComputer

// Keep reading