LastPass-branded phishing campaign targeting customers
Campaign
Summary
Hide ▲
Show ▼
A LastPass-branded phishing campaign is luring customers to fake desktop-app and phishing sites, creating immediate credential-theft risk. The emails use a breach-themed subject line and sender addresses such as hello@lastpasspulse[.]blog and hello@lastpassgazette[.]blog. The infrastructure also includes lastpassdesktop[.]com, lastpassgazette[.]blog, and the registered lastpassdesktop[.]app domain, suggesting the operation is designed for reuse.
Related Happenings
OAuth device-code phishing campaign targeting SaaS accounts
Campaign
First: 04.04.2026 17:17
Last: 04.04.2026 17:17
Sources 1
About this happening:
A **device code phishing** campaign now includes **EvilTokens**, a **phishing-as-a-service** kit sold on **Telegram** that uses the **OAuth 2.0 device authorization flow** to hija...
OAuth device-code phishing campaign targeting SaaS accounts
CampaignAbout this happening: A **device code phishing** campaign now includes **EvilTokens**, a **phishing-as-a-service** kit sold on **Telegram** that uses the **OAuth 2.0 device authorization flow** to hija...
Tycoon 2FA-Storm-1747 ecosystem shift changes threat-actor operations
Threat Actor Meta
First: 05.03.2026 08:51
Last: 05.03.2026 08:51
Sources 1
About this happening:
**Tycoon2FA** has evolved from a **subscription-based PhaaS** into a more resilient phishing service that now supports **device-code phishing** against **Microsoft 365** accounts....
Tycoon 2FA-Storm-1747 ecosystem shift changes threat-actor operations
Threat Actor MetaAbout this happening: **Tycoon2FA** has evolved from a **subscription-based PhaaS** into a more resilient phishing service that now supports **device-code phishing** against **Microsoft 365** accounts....
Latest development: 17.05.2026 17:43
eSentire says Tycoon2FA now uses device-code phishing to target Microsoft 365 accounts, with invoice-themed lure emails carrying Trustifi click-tracking URLs that redirect through Trustifi, Cloudflare Workers, obfuscated JavaScript layers, and a fake Microsoft CAPTCHA page before sending victims to microsoft.com/devicelogin. The kit also adds anti-analysis defenses, including detection of Selenium, Puppeteer, Playwright, and Burp Suite, plus blocks for security vendors, VPNs, sandboxes, AI crawlers, and cloud providers.
LastPass users phishing campaign using fake support threads
Campaign
First: 04.03.2026 22:44
Last: 04.03.2026 22:44
Sources 1
About this happening:
A **phishing campaign** is targeting **LastPass users** with fake account-access alerts, putting **vault credentials** at risk. The lure uses spoofed support threads and urgent li...
LastPass users phishing campaign using fake support threads
CampaignAbout this happening: A **phishing campaign** is targeting **LastPass users** with fake account-access alerts, putting **vault credentials** at risk. The lure uses spoofed support threads and urgent li...
Microsoft Entra device code phishing and vishing campaign
Campaign
First: 19.02.2026 14:30
Last: 19.02.2026 14:30
Sources 1
About this happening:
A **device code phishing campaign** is targeting **Microsoft 365 identities** through the **OAuth 2.0 device authorization flow**, letting attackers steal valid access tokens afte...
Microsoft Entra device code phishing and vishing campaign
CampaignAbout this happening: A **device code phishing campaign** is targeting **Microsoft 365 identities** through the **OAuth 2.0 device authorization flow**, letting attackers steal valid access tokens afte...
Atomic MacOS Stealer (AMOS) distribution through AI-app lures, SEO poisoning, and supply-chain abuse
Malware Activity
First: 12.02.2026 16:25
Last: 12.02.2026 16:25
Sources 1
About this happening:
**Atomic MacOS Stealer (AMOS)** is being distributed to **macOS users** through multiple delivery paths, including **fraudulent GitHub repositories**, **SEO poisoning**, **malvert...
Atomic MacOS Stealer (AMOS) distribution through AI-app lures, SEO poisoning, and supply-chain abuse
Malware ActivityAbout this happening: **Atomic MacOS Stealer (AMOS)** is being distributed to **macOS users** through multiple delivery paths, including **fraudulent GitHub repositories**, **SEO poisoning**, **malvert...
Timeline
-
16.10.2025 15:30 2 articles · 7mo ago
LastPass warns customers about phishing campaign
Initial DisclosureLastPass told customers it has not been hacked after detecting a phishing campaign that used breach-themed emails with the subject line “We Have Been Hacked - Update Your LastPass Desktop App to Maintain Vault Security” and sender addresses such as hello@lastpasspulse[.]blog and hello@lastpassgazette[.]blog. The links redirected recipients to phishing pages at lastpassdesktop[.]com and lastpassgazette[.]blog, while lastpassdesktop[.]app was also registered for possible future use; LastPass said it was seeking takedown help, Cloudflare placed warning pages in front of the site, and the phishing infrastructure appeared to use NiceNIC.
Show sources
- LastPass Warns Customers It Has Not Been Hacked Amid Phishing Email Scam — www.infosecurity-magazine.com — 16.10.2025 15:30
- LastPass Warns Customers It Has Not Been Hacked Amid Phishing Email Scam — www.infosecurity-magazine.com — 16.10.2025 15:30