ProBackend
access management iam security
1 hour ago4 min read

Security & Compliance Analysts: LastPass Warns of Phishing Campaign Using Fake Security Notices

LastPass is warning users about an ongoing phishing campaign that is using fake security notices to direct them to fraudulent websites. The phishing emails are crafted to resemble legitimate corporate communications, impersonating both LastPass and Bitwarden with fake DocuSign pages.

Security & Compliance Analysts: LastPass Warns of Phishing Campaign Using Fake Security Notices

If you just got an email from "[email protected]" saying your "admin console has been updated," don’t click anything. Not yet. LastPass isn’t broken—your muscle memory is.

This isn’t some botched Nigerian prince scam. It’s a surgical strike on the quietest, most predictable behavior in enterprise security: the reflex to click "Review & Access Terms" when you see a DocuSign-style document. The attackers didn’t break anything. They just waited for you to do what you’ve done a hundred times before.

The email looks real. It mentions SaaS monitoring upgrades, master password reset policies, even "admin console improvements." It’s got the tone right—the slightly corporate, slightly urgent voice of an internal system update. And then there’s the button. "Review & Access Terms." Click it, and you land on lastpasscompliance[.]com—a domain already flagged by Microsoft Defender and Cloudflare as malicious. Same thing’s happening to Bitwarden users, just with bitwardencompliance[.]com.

Here’s the kicker: LastPass and Bitwarden didn’t send this. Their systems are clean. The phishers are just copying the look, the language, the rhythm of their comms. And they’re banking on one thing: you’ve been trained to trust the DocuSign pattern.

Real DocuSign emails don’t ask you to download a file. They don’t offer live chat support on a page that’s already been taken down. They open in-browser or as a PDF. This? This is a trap dressed in a suit.

Why This Works: It’s Not About the Tech, It’s About the Habit

I’ve watched security teams spend millions on MFA, EDR, and SIEM rules. And yet, the biggest vulnerability is still the same: a user who’s been conditioned to respond to a visual cue.

This campaign doesn’t rely on zero-days or supply chain exploits. It relies on repetition. You see a document icon. You see a logo that looks right. You see a button that says "Review." You click. It’s not negligence—it’s automation.

The attackers didn’t need to bypass anything. They just needed to wait.

Here’s what you’re seeing:

  • The sender address looks official: [email protected]
  • The subject line implies urgency: "Security policy update required"
  • The CTA button mimics DocuSign’s UI
  • The destination site is a perfect clone—right down to the font and layout
  • The chat support? Probably dead. But you won’t know until you’ve already entered your master password

And here’s what you’re missing:

  • LastPass will never ask you to enter your master password on a webpage
  • Legitimate alerts come through the app, not email
  • If a document asks you to download an executable, it’s not DocuSign—it’s malware

The Pattern: Fake Alerts Are Now the Default

This isn’t new. In March, LastPass warned about fake "unauthorized access" alerts. In January, it was "vault backup required within 24 hours." Each time, the same playbook: mimic the brand, inject urgency, and hijack the user’s expectation of how security comms should look.

What’s changed is the polish. The emails now feel like they came from your own IT department. That’s the real danger. When alerts start feeling routine, you stop questioning them. And that’s exactly what the attackers want.

What IAM & Access Teams Should Do Now

I’ve seen too many IAM teams treat phishing as an HR problem. It’s not. It’s a control design failure.

Here’s what I tell every IAM project lead:

  • Test your training. If you’re not simulating this exact attack—fake DocuSign via password manager impersonation—you’re not training. You’re just checking a box. Use GoPhish or Mimecast to send this exact email to your team. See who clicks. Then have a real conversation.
  • Audit your SaaS permissions. If users can share documents without MFA, you’ve already given attackers a backdoor. Fix that before you fix the email.
  • Update your security nudges. Add this to your quarterly security bulletin: "If a password manager sends you a document to review, it’s a lie. Always check the URL. Always.
  • Enforce credential re-entry rules. No automated alert should ever ask you to re-enter your master password. Ever. If it does, it’s malware. Teach your team to say "no"—and make sure your systems enforce it.

And here’s the one thing nobody says out loud: if your team is still clicking these links, it’s not because they’re careless. It’s because your systems trained them to.

Stop blaming the user. Fix the signal.

Stay sharp. And keep your master password where only you can reach it.

More blogs