Phishing Campaign Targets LastPass and Bitwarden Users with Fake Security Alerts
A sophisticated phishing campaign is currently targeting users of popular password managers, **LastPass** and **Bitwarden**. Threat actors are leveraging fake security notices and impersonated **DocuSign** landing pages to trick users into downloading malicious files or divulging credentials, prompting urgent warnings from the affected services.
Password manager users are once again in the crosshairs of a cunning phishing operation. Both **LastPass** and **Bitwarden** have issued alerts regarding a campaign that uses fraudulent security communications to lure users to malicious websites.
### Deceptive Emails Mimic Official Communications
The phishing emails are expertly crafted to mimic legitimate corporate notifications. For **LastPass** users, emails originating from '[email protected]' inform recipients of alleged service policy changes, including enhanced SaaS monitoring and master password reset options for administrators.

Clicking the 'Review & Access Terms' button in these emails redirects users to a landing page designed to impersonate **DocuSign**, a widely used electronic document signature service.
### Malicious Domains and Download Prompts
The domains used in this campaign, such as lastpasscompliance[.]com and bitwardencompliance[.]com, are designed to appear legitimate but have been flagged as malicious by security services like **Microsoft Defender for Office 365** and **Cloudflare**.

While **LastPass** could not definitively confirm the ultimate goal of the campaign, the fake sites prompt users to download a file, falsely claiming support for both **Windows** and **macOS**. The sites also offered live chat support, though its functionality remains unconfirmed. Both malicious websites have since been taken offline.
**Bitwarden** users have been targeted with similar emails from '[email protected]', leading to bitwardencompliance[.]com.

### A Recurring Threat
This isn't the first time **LastPass** users have faced such threats. In March, the company warned about fake unauthorized account access alerts that used fabricated communication threads to create urgency. Earlier in January, users were targeted with fake alerts demanding they back up their vaults within 24 hours due to supposed system maintenance.
**LastPass** reiterates that its systems have not been compromised and that the phishing emails did not originate from its infrastructure.
### Recommendations for Users
**LastPass** emphasizes that it will never ask users for their master password. Users are strongly advised to report any suspicious communications to [email protected].
For those who may have entered credentials on these phishing sites, immediate action is crucial: change your master password from a trusted device and thoroughly review your password vault for any suspicious activity.