Users of LastPass and Bitwarden are being targeted in a new phishing campaign that uses fake security policy notifications to trick victims into visiting fraudulent websites and downloading potentially malicious files.

LastPass confirmed the emails are fake and stressed that its systems have not been compromised.

The phishing emails are designed to look like official company communications and claim that important security policies have been updated. Recipients are urged to click a “Review & Access Terms” button, which redirects them to a fake website impersonating DocuSign instead of a legitimate LastPass or Bitwarden page.

According to LastPass, the fraudulent emails are being sent from domains such as [email protected], while similar messages targeting Bitwarden users originate from [email protected]. The phishing sites use lookalike domains, including lastpasscompliance[.]com and bitwardencompliance[.]com, to appear trustworthy. The fake pages prompt users to download files advertised as compatible with Windows and macOS, though their exact purpose has not been confirmed.

LastPass emphasized that it never asks users to provide their master password through email or external websites. The company advises anyone who entered credentials on one of the phishing pages to immediately change their master password from a trusted device, review their password vault for suspicious activity, and report suspicious emails to its abuse team.

The campaign follows several similar phishing attacks that have recently impersonated password managers to steal login credentials or distribute malware. Security experts recommend verifying sender addresses, avoiding links in unsolicited emails, and accessing password managers only through their official websites or installed applications.

READ
Australian Cyber Agency Warns of Global Attacks Targeting WordPress, Joomla, Craft CMS, and Other Websites


Buy ExpressVPN with PayPal or Credit Card
Advertisement