
LastPass is warning customers about an active phishing campaign that uses lookalike domains and fake security notifications to trick users into revealing their master passwords or downloading malicious software.
The company says the activity has no impact on LastPass's own systems and is limited to an external phishing operation.
The campaign uses phishing emails impersonating the password manager's security communications. The emails are designed to create a sense of urgency by claiming users must review updated security policies.
According to the bulletin, the attackers registered two domains that closely resemble legitimate LastPass infrastructure: lastpassnewsletter[.]com and lastpasscompliance[.]com. Neither domain is affiliated with the company.
The phishing emails originate from hello@lastpassnewsletter[.]com and use the subject line:
Action Required: Review Updated LastPass Security Policies

LastPass
The messages are crafted to resemble official LastPass security notices and instruct recipients to review revised security policies by clicking an embedded link.
The link leads to lastpasscompliance[.]com, which presents itself as a DocuSign-branded page. Visitors are prompted to download software, although LastPass says it is still investigating the nature of the downloaded file and will provide additional details once its analysis is complete.

LastPass
The phishing infrastructure has already been independently identified as malicious by multiple security vendors, and LastPass said it is working with industry partners to remove the malicious domains as quickly as possible.
LastPass emphasized that it will never ask users for their master password. Customers who receive the phishing email should avoid clicking any links or downloading files. Those who entered their master password on the fraudulent website should immediately change it from a trusted device by signing in directly through LastPass.com, then review their vault for any unexpected activity.
The company also encourages users to forward suspicious emails claiming to originate from LastPass to abuse@lastpass.com to assist with ongoing investigations.
LastPass constantly under fire
LastPass is a widely used password management platform that allows individuals and enterprises to securely store credentials in encrypted vaults, synchronize passwords across devices, and integrate with identity and authentication services. Because access to a single LastPass vault can provide attackers with credentials for numerous online accounts, the service remains a high-value target for phishing campaigns.
The latest campaign continues a pattern of phishing attacks targeting LastPass users throughout 2026. In March, LastPass warned of a campaign using fake internal email threads with subjects such as “Re: pending approval” and “Re: Access request pending” to convince recipients that suspicious activity had occurred on their accounts. Those emails ultimately redirected victims to a fake single sign-on page hosted at verify-lastpass[.]com and abused display name spoofing to make malicious messages appear legitimate.
Earlier, in January, the company disclosed another campaign that urged users to “create a backup” of their password vaults before a fabricated maintenance window. Those phishing emails used subject lines such as “Important: LastPass Maintenance & Your Vault Security” and redirected victims via intermediary infrastructure to the fraudulent mail-lastpass[.]com website, which attempted to harvest master passwords and other sensitive information.
LastPass users should be cautious of unsolicited emails claiming to require immediate security action. Rather than following links embedded in email messages, users should access their accounts directly through the official LastPass website or browser extension, and check for any alerts there.






Leave a Reply