CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Phishing campaign targets LastPass and Bitwarden users to install remote access tools

First reported
Last updated
2 unique sources, 2 articles

Summary

Hide ▲

A phishing campaign is targeting LastPass and Bitwarden users with fake breach alerts. The emails urge recipients to download a supposedly more secure desktop version of the password manager, which installs Syncro, an RMM tool, and ScreenConnect remote support software. The campaign began over the Columbus Day holiday weekend, exploiting reduced staffing. LastPass has confirmed it has not been hacked and is actively working to mitigate the phishing campaign. The phishing emails are well-crafted and claim to address vulnerabilities in older .exe installations, urging users to update to a more secure MSI format. The threat actors use domains like 'lastpasspulse[.]blog' and 'bitwardenbroadcast[.]blog' to send these emails. The malware installs Syncro and ScreenConnect, allowing the threat actors to remotely access the compromised endpoints, deploy further malware, and steal data. The phishing emails use the subject line 'We Have Been Hacked - Update Your LastPass Desktop App to Maintain Vault Security' and are sent from email addresses like hello@lastpasspulse[.]blog or hello@lastpassgazette[.]blog. The phishing site is hosted at lastpassdesktop[.]com or lastpassgazette[.]blog, and another URL, lastpassdesktop[.]app, has been registered by the threat actor for potential future use.

Timeline

  1. 15.10.2025 22:22 2 articles · 1d ago

    Phishing campaign targets LastPass and Bitwarden users with fake breach alerts

    LastPass has confirmed it has not been hacked and is actively working to mitigate the phishing campaign. The phishing emails use the subject line 'We Have Been Hacked - Update Your LastPass Desktop App to Maintain Vault Security' and are sent from email addresses like hello@lastpasspulse[.]blog or hello@lastpassgazette[.]blog. The phishing site is hosted at lastpassdesktop[.]com or lastpassgazette[.]blog, and another URL, lastpassdesktop[.]app, has been registered by the threat actor for potential future use. The threat actor used NiceNIC to host the phishing site, and Cloudflare has posted warning pages advising visitors that these sites are phishing pages.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Spear-Phishing Campaign Targets Social Media and Marketing Professionals with Fake Job Offers

A spear-phishing campaign targets social media and marketing professionals with fake job offers from Tesla, Red Bull, and Ferrari. The campaign, tracked since February 2025, uses spoofed emails and fake landing pages to steal personal information. The attackers request resumes and login credentials, aiming to harvest personal data for future attacks. The phishing emails mimic legitimate recruitment practices, using brand logos and tailored URLs to appear credible. The campaign includes multi-step processes to create an illusion of legitimacy, including CAPTCHA pages and fake Glassdoor or Facebook login pages.

Open in new tab

VoidProxy phishing service targets Microsoft 365, Google accounts

A new phishing-as-a-service (PhaaS) platform, VoidProxy, targets Microsoft 365 and Google accounts, including those protected by third-party single sign-on (SSO) providers like Okta. The platform uses adversary-in-the-middle (AitM) tactics to steal credentials, multi-factor authentication (MFA) codes, and session cookies in real time. The attack begins with emails from compromised accounts at email service providers, which include shortened links redirecting recipients to phishing sites. The phishing sites are hosted on disposable low-cost domains and protected by Cloudflare to hide their real IPs. VoidProxy's attack flow involves serving a Cloudflare CAPTCHA challenge, filtering traffic, and presenting phishing pages that mimic Microsoft or Google login screens. Federated accounts using Okta for SSO are redirected to a second-stage phishing page impersonating Microsoft 365 or Google SSO flows. The service's proxy server captures usernames, passwords, and MFA codes in transit, and intercepts session cookies for attackers. Okta Threat Intelligence researchers discovered the platform and noted that users with phishing-resistant authentications like Okta FastPass were protected from these attacks.

Open in new tab

Axios and Direct Send Abuse in Microsoft 365 Phishing Campaigns

Threat actors are exploiting HTTP client tools like Axios and Microsoft's Direct Send feature to create highly efficient phishing campaigns targeting Microsoft 365 environments. These attacks, which began in July 2025, initially targeted executives and managers in finance, healthcare, and manufacturing sectors, but have since expanded to all users. The campaigns use compensation-themed lures to trick recipients into revealing credentials and bypassing multi-factor authentication (MFA). The abuse of Axios has surged, accounting for 24.44% of all flagged user agent activity from June to August 2025. The attacks leverage Axios to intercept, modify, and replay HTTP requests, capturing session tokens or MFA codes in real-time. This method allows attackers to bypass traditional security defenses and conduct phishing operations at an unprecedented scale. Additionally, a phishing-as-a-service (PhaaS) offering called Salty 2FA has been discovered, which steals Microsoft login credentials and sidesteps MFA by simulating various authentication methods. Salty 2FA uses advanced features such as subdomain rotation, dynamic corporate branding, and sophisticated evasion tactics to enhance its phishing campaigns. It also abuses legitimate platforms to stage initial attacks and uses Cloudflare Turnstile for secure CAPTCHA replacement. Salty2FA campaigns have been active since late July 2025 and continue to this day, generating dozens of fresh analysis sessions daily. The campaigns target industries including finance, healthcare, government, logistics, energy, IT consulting, education, construction, telecom, chemicals, industrial manufacturing, real estate, and consulting.

Open in new tab

Phishing Campaign Abuses iCloud Calendar to Send Emails from Apple Servers

A phishing campaign abuses iCloud Calendar invites to send callback phishing emails from Apple’s servers. The emails mimic purchase notifications and trick recipients into calling scammers. The emails bypass spam filters due to their origin from Apple’s servers. The phishing emails are disguised as purchase notifications from PayPal, claiming a $599 charge. They prompt recipients to call a provided number to discuss or cancel the payment. The scammers aim to gain remote access to the victim's computer to steal money, deploy malware, or steal data. The campaign leverages iCloud Calendar invites to send emails from Apple’s servers, making them appear legitimate and bypassing SPF, DMARC, and DKIM email security checks. The emails are sent from [email protected] and include the phishing text within the Notes field of the calendar invite.

Open in new tab

Microsoft 365 logins stolen via ADFS redirects in phishing campaign

A phishing campaign has been observed using legitimate ADFS redirects to steal Microsoft 365 logins. The attackers exploit trusted Microsoft infrastructure to bypass URL-based detection and multi-factor authentication, redirecting users from legitimate office.com links to phishing pages. The campaign targeted multiple organizations, starting with malicious sponsored links in Google search results. The attackers set up a custom Microsoft tenant with ADFS configured, allowing them to receive authorization requests and authenticate users on the phishing page. The phishing site was disguised with fake blog posts and conditional loading restrictions to evade detection and ensure only valid targets accessed the phishing page.

Open in new tab