LastPass is warning users about an ongoing phishing campaign that is using fake security notices to direct them to fraudulent websites.
The phishing emails are crafted to resemble legitimate corporate communications, notifying recipients of updated security policies and directing them to a landing page that impersonates DocuSign and claiming to provide a document for review.
LastPass emphasizes that its systems have not been compromised and that the phishing emails did not originate from its infrastructure, despite the attackers using domains designed to appear as legitimate company services.
The emails sent from ‘[email protected]’ notify the user of alleged service policy changes in LastPass, including enhanced SaaS monitoring, master password reset options for administrators, and admin console improvements.
Source: BleepingComputer
Clicking on the ‘Review & Access Terms’ button embedded in the email takes users to a website impersonating the DocuSign service widely used for sending, signing, and managing documents electronically.
However, the domain used is lastpasscompliance[.]com, which has been flagged as malicious by Microsoft Defender for Office 365 and Cloudflare.
Source: LastPass
Although LastPass could not confirm the goal of the campaign, the company says that the fake site prompts the user to download a file claiming to support both Windows and macOS.
The site offers live support through a chat box, but it is unclear if it is functional. At the time of writing, the malicious website has been taken offline.
BleepingComputer has found that Bitwarden users are targeted by similar emails sent from '[email protected]' and redirecting them to bitwardencompliance[.]com.
Source: BleepingComputer
In March, LastPass warned about fake unauthorized account access alerts impersonating the password service, targeting users with fabricated communication threads designed to increase urgency and lead to data exposure.
Earlier, in January, LastPass users were targeted by fake alerts claiming they needed to back up their vaults within 24 hours, allegedly due to upcoming system maintenance.
LastPass has cautioned users that it will never ask users for the master password and asked them to report any suspicious communications to [email protected].
Users who entered credentials on phishing sites are advised to change their master passwords immediately from a trusted device and review their vaults for suspicious activity.
Hope you enjoyed this news post. Feedback welcome.
Posted Wednesday 15 July 2026 at 7:46 am AEST (my time).
News posts: 2023 5,800+ | 2024 5,700+ | 2025 5,700+ | 2026 (to end of June) 2,475
- jenyco2 and Matt
-
2
Recommended Comments
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.