Find notable cyber news and cases, enriched with sources, timelines, and signals.

LastPass and Bitwarden users targeted by fake-security-notice phishing campaign

Campaign
First reported
Last updated
Happening score
H score 31
1 unique sources, 1 articles

Summary

Hide ▲

An ongoing phishing campaign is using fake security notices to lure LastPass and Bitwarden users to fraudulent websites, creating immediate credential theft risk for anyone who submits passwords or vault access details. The operation uses impersonated service emails, malicious compliance domains, and a DocuSign lookalike landing page to push victims into interacting with attacker-controlled infrastructure. Some infrastructure has already been flagged as malicious and the website was taken offline, but the targeting remains active enough to affect both user groups.

Related Happenings

Forg365-ForgCookie alliance reshapes ransomware ecosystem operations

Threat Actor Meta
H score37 First: 09.07.2026 17:39 Last: 09.07.2026 17:39 Sources 1

About this happening: **Forg365** is a **phishing-as-a-service (PhaaS)** operation built to steal **Microsoft 365** accounts with **AiTM** and **device-code phishing**, increasing credential-theft risk...

Kali365 Microsoft 365 device-code phishing campaign

Campaign
H score46 First: 25.05.2026 15:45 Last: 25.05.2026 15:45 Sources 1

About this happening: A **Kali365** phishing campaign is targeting **Microsoft 365** environments worldwide with **device-code login lures**, putting accounts at risk of **token theft** and **MFA bypas...

CypherLoc phishing-led browser scareware campaign

Campaign
H score49 First: 20.05.2026 13:00 Last: 20.05.2026 13:00 Sources 1

About this happening: The **CypherLoc** operation has driven **around 2.8 million attacks** since the start of **2026**, using **phishing emails** to send users to malicious pages that lock browsers an...

OAuth device-code phishing campaign targeting SaaS accounts

Campaign
H score43 First: 04.04.2026 17:17 Last: 04.04.2026 17:17 Sources 1

About this happening: A **device code phishing** campaign now includes **EvilTokens**, a **phishing-as-a-service** kit sold on **Telegram** that uses the **OAuth 2.0 device authorization flow** to hija...

TikTok for Business phishing campaign using Turnstile and reverse proxy

Campaign
H score31 First: 26.03.2026 16:09 Last: 26.03.2026 16:09 Sources 1

About this happening: A **phishing campaign** is targeting **TikTok for Business accounts** and uses **Cloudflare Turnstile** to block automated analysis before exposing a **reverse-proxy** credential-...

Timeline

  1. 14.07.2026 18:31 2 articles · 2h ago

    LastPass and Bitwarden users targeted by fake DocuSign security notices

    Initial Disclosure

    LastPass warned that an ongoing phishing campaign is sending fake security notices to LastPass and Bitwarden users, with emails sent from addresses such as '[email protected]' and '[email protected]' redirecting victims to lastpasscompliance[.]com and bitwardencompliance[.]com. The fraudulent pages impersonate DocuSign, present alleged policy changes or a document review flow, and may prompt users to download a file claiming to support both Windows and macOS. LastPass said its systems were not compromised and that the emails did not originate from its infrastructure, while Microsoft Defender for Office 365 and Cloudflare flagged lastpasscompliance[.]com as malicious.

    Show sources