Skip to content
feed: live
>_ 0dayNews
threat intel

LastPass, Bitwarden users hit by lookalike-domain phishing

LastPass and Bitwarden users are getting phishing from lookalike "compliance" domains pushing a DocuSign-styled downloader. Delete the email; don't click.

LastPass, Bitwarden users hit by lookalike-domain phishing
Image: 0dayNews / 0dayNews Editorial · All rights reserved
fuse Marisol "Fuse" Delgado · Published · 3 min read

LastPass confirmed on July 13 that an active phishing wave is hitting its customers with emails dressed up as new “security policy” and “compliance” notices — sent from hello@lastpassnewsletter.com, pointing at a lookalike lastpasscompliance[.]com, and finishing on a DocuSign-styled page that pushes a downloader claiming to support both Windows and macOS. BleepingComputer independently found the same operation running against Bitwarden customers out of hello@bitwardennewsletter.com and bitwardencompliance[.]com. Both sender domains were flagged by Microsoft Defender for Office 365 and Cloudflare, and the lookalike sites were taken offline before this piece went up — but the sender template and infrastructure pattern are what matter. Expect it back with fresh domains this week.

The lure is designed to move the target off the vendor’s real site. The emails talk about “enhanced SaaS monitoring,” “master password reset options for administrators,” and “admin console improvements” — the exact three phrases an admin who half-remembers this year’s Entra ID changes would skim past without a second thought. The DocuSign landing page is the credibility layer: people are conditioned to click through DocuSign envelopes without questioning them, and once past that, downloading a file feels like signing paperwork. What the download actually delivers hasn’t been publicly named in the vendor advisories yet — LastPass’s guidance (“change your master password from a trusted device”) is treating it as credential-theft-adjacent, which is the right posture even if the payload turns out to be a broader stealer.

Two things worth being blunt about. First: LastPass and Bitwarden did the right thing by publishing early, but “no impact to LastPass systems” is not the same as “no impact to your vault.” If a target typed a master password into a lookalike page, the vault contents are exposed until that password rotates from a device the attacker doesn’t control. Second: password managers are a high-value spear target precisely because one master credential collapses the rest of the person’s account inventory. That is the whole point of aiming here.

What to actually do:

  1. If anyone on your side clicked through on either template in the last 72 hours: rotate their LastPass or Bitwarden master password from a known-clean device (not the one that ran the downloader), then rotate the highest-blast-radius credentials stored in that vault — email, SSO/IdP, financial, cloud console root and admin. Assume the vault contents were read, not just the master password.
  2. If you can’t confirm click-through: pull outbound proxy or DNS logs for lastpasscompliance[.]com, bitwardencompliance[.]com, lastpassnewsletter.com, and bitwardennewsletter.com across the last week. Anything hitting them gets treated as a suspected credential entry until proven otherwise.
  3. Add both sender domains to your mail gateway block list, and flag any inbound mail claiming to be a LastPass or Bitwarden “security policy” or “compliance” update as high-suspicion. Neither vendor pushes admins to download binaries from a newsletter domain.
  4. Push passkey or hardware-key enrollment on the vault account itself where you haven’t already. LastPass and Microsoft’s Entra ID team are both moving passkey-default this year for a reason — a passkey-bound vault is the difference between “master password stolen” and “vault actually opened.”

The honest read: this is not a novel technique — lookalike domain plus DocuSign lure plus binary download is standard AiTM-era phishing playbook, of a piece with the Jalisco and OmegaLord kits BleepingComputer flagged the same day hitting Microsoft 365. The escalation is the target selection. Going after password-manager customers directly, using the vendor’s own branding, compresses a phishing chain into one step — you don’t need to pivot from a stolen Microsoft 365 session into a vault export if you can harvest the vault master straight from the user. Report suspicious mail to abuse@lastpass.com and to your own SOC intake; the sender pattern is what belongs in your detection rules, not any one domain that’ll be dead by Friday.

Related: our earlier coverage of Forg365 and the M365 device-code phishing market, and Microsoft’s year-long ShinyHunters Salesforce OAuth map — same broader thread of stealer-to-identity as the fast path.

Found this useful? Share it.