LastPass is issuing a critical alert regarding a phishing campaign that uses deceptive security notifications to mislead users into visiting fraudulent websites.
The phishing emails, crafted to resemble authentic corporate messages, redirect recipients to a fake landing page claiming to provide updates on security policies and necessary documents, fraudulently impersonating DocuSign.
LastPass reassures users that its systems remain secure and that these phishing emails did not originate from its infrastructure, despite attackers utilizing a domain that mimics a legitimate service.
Users may receive emails from “[email protected]” notifying them of potential service policy changes, including enhanced SaaS monitoring, admin password reset options, and improvements to the administrator console.

Source: BleepingComputer
Clicking the “Review and Access Terms” button in the email redirects users to a phony website impersonating the DocuSign service, which is widely utilized for electronic document management.
The malicious domain, lastpasscompliance.[.]com, has been flagged as harmful by both Microsoft Defender for Office 365 and Cloudflare.

Source: LastPass
While LastPass has not confirmed the specific intent behind this phishing campaign, users reported that the fake site prompted them to download a file claiming compatibility with both Windows and macOS.
The fraudulent site also offers supposed live support via a chat box, though its functionality is uncertain. As of now, this malicious website is offline.
In a related discovery, BleepingComputer found that Bitwarden users are also being targeted by similar phishing emails from “[email protected],” which direct users to bitwardencompliance.[.]Com.

Source: BleepingComputer
Earlier this year, LastPass alerted users about fake account access warnings posing as a password service, utilizing fabricated communication threads to create urgency and induce data breaches.
Additionally, in January, users were targeted with false alerts suggesting they needed to back up their vaults within 24 hours due to scheduled maintenance.
LastPass warns that it will never request users’ master passwords and encourages reporting any suspicious communications to [email protected].
If you have entered your credentials on a phishing site, change your master password immediately from a secure device, and check your vault for unusual activity.
Research shows that security teams only document 54% of successful attacks and issue warnings on just 14%. The remaining threats often go undetected in the environment.
Picus’ whitepaper explains how to test your SIEM and EDR rules through breach and attack simulations to ensure threats are not overlooked.
Source: www.bleepingcomputer.com




