Cybersecurity & Privacy

LastPass Phishing Campaign Targets Users With Fake Support Emails

alex2404
By
alex2404
Byalex2404
Follow:
Disclosure: This website may contain affiliate links, which means I may earn a commission if you click on the link and make a purchase. I only recommend products or services that I personally use and believe will add value to my readers. Your support is appreciated!

LastPass is warning users of an active phishing campaign that impersonates its customer support team to steal master passwords and vault credentials.

Contents

The attack uses spoofed emails designed to look like forwarded internal conversations between a LastPass support agent and an attacker requesting a primary email address change on the target’s account. The fake thread is then forwarded to the victim, creating a false sense of an ongoing security incident that requires immediate action.

How the Attack Works

Embedded links inside the emails carry labels such as “report suspicious activity,” “disconnect and lock vault,” and “revoke device.” Clicking any of them redirects users to a counterfeit LastPass login page hosted on the domain verify-lastpass[.]com, where credentials are captured. The LastPass Threat Intelligence, Mitigation, and Escalation (TIME) team confirmed the attacker also uses slightly modified URLs that redirect to the same page.

Multiple sender addresses and subject lines are deployed across the campaign to complicate tracing and broaden apparent legitimacy. Most sending addresses have no connection to the LastPass brand, originating from compromised websites or abandoned domains, but all display the “LastPass Support” name to obscure their true origin.

LastPass stated clearly that its infrastructure has not been compromised and that its systems remain unaffected. The company also reminded users that its support agents will never request a master password under any circumstances.

A Pattern of Repeated Targeting

This campaign is the latest in a string of phishing attempts against LastPass users stretching back through 2025 and into early 2026. In January, a separate campaign sent fake maintenance notifications urging users to back up their vaults within 24 hours, redirecting them to phishing pages. Before that, attackers ran two distinct operations: one exploiting fabricated user death claims, another falsely alleging a company breach and pushing a trojanized client app download.

More Read

CanisterWorm Hits 47 npm Packages in Trivy Supply Chain Attack
Perseus Android Malware Monitors Notes Apps for Financial Data
Oracle Emergency Patch Fixes Critical RCE Flaw CVE-2026-21992
PolyShell Flaw Enables Unauthenticated RCE on Magento Stores
INTERPOL Seizes 45,000 Malicious IPs in Global Cybercrime Sweep

The frequency reflects a straightforward calculation. A password manager holds credentials to virtually every account a user owns, making a single successful phishing attempt disproportionately valuable to an attacker.

What Users Should Do

LastPass is working with third-party partners to take down the fraudulent websites. In the meantime, the company has outlined several steps users can take to protect themselves:

  • Never enter a master password in response to an unsolicited email link
  • Verify login pages manually by navigating directly to lastpass.com
  • Report any suspicious emails to abuse@lastpass.com
  • Never share a master password with anyone, including support agents

The spoofing technique at the core of this campaign requires no technical compromise on LastPass’s end. It exploits email display name conventions and social engineering, making user awareness the most direct line of defense.

Photo by sq lim on Unsplash

This article is a curated summary based on third-party sources. Source: Read the original article

TAGGED:
Share This Article
Previous Article Aeternum C2 Botnet Hides Commands on Polygon Blockchain
Next Article New Discovery Challenges Textbook Model of Cell Division
Archives