LastPass and Bitwarden users targeted by fake-security-notice phishing campaign
Campaign
Summary
Hide ▲
Show ▼
An ongoing phishing campaign is using fake security notices to lure LastPass and Bitwarden users to fraudulent websites, creating immediate credential theft risk for anyone who submits passwords or vault access details. The operation uses impersonated service emails, malicious compliance domains, and a DocuSign lookalike landing page to push victims into interacting with attacker-controlled infrastructure. Some infrastructure has already been flagged as malicious and the website was taken offline, but the targeting remains active enough to affect both user groups.
Related Happenings
Forg365-ForgCookie alliance reshapes ransomware ecosystem operations
Threat Actor Meta
H score37
First: 09.07.2026 17:39
Last: 09.07.2026 17:39
Sources 1
About this happening:
**Forg365** is a **phishing-as-a-service (PhaaS)** operation built to steal **Microsoft 365** accounts with **AiTM** and **device-code phishing**, increasing credential-theft risk...
Forg365-ForgCookie alliance reshapes ransomware ecosystem operations
Threat Actor MetaAbout this happening: **Forg365** is a **phishing-as-a-service (PhaaS)** operation built to steal **Microsoft 365** accounts with **AiTM** and **device-code phishing**, increasing credential-theft risk...
Kali365 Microsoft 365 device-code phishing campaign
Campaign
H score46
First: 25.05.2026 15:45
Last: 25.05.2026 15:45
Sources 1
About this happening:
A **Kali365** phishing campaign is targeting **Microsoft 365** environments worldwide with **device-code login lures**, putting accounts at risk of **token theft** and **MFA bypas...
Kali365 Microsoft 365 device-code phishing campaign
CampaignAbout this happening: A **Kali365** phishing campaign is targeting **Microsoft 365** environments worldwide with **device-code login lures**, putting accounts at risk of **token theft** and **MFA bypas...
CypherLoc phishing-led browser scareware campaign
Campaign
H score49
First: 20.05.2026 13:00
Last: 20.05.2026 13:00
Sources 1
About this happening:
The **CypherLoc** operation has driven **around 2.8 million attacks** since the start of **2026**, using **phishing emails** to send users to malicious pages that lock browsers an...
CypherLoc phishing-led browser scareware campaign
CampaignAbout this happening: The **CypherLoc** operation has driven **around 2.8 million attacks** since the start of **2026**, using **phishing emails** to send users to malicious pages that lock browsers an...
OAuth device-code phishing campaign targeting SaaS accounts
Campaign
H score43
First: 04.04.2026 17:17
Last: 04.04.2026 17:17
Sources 1
About this happening:
A **device code phishing** campaign now includes **EvilTokens**, a **phishing-as-a-service** kit sold on **Telegram** that uses the **OAuth 2.0 device authorization flow** to hija...
OAuth device-code phishing campaign targeting SaaS accounts
CampaignAbout this happening: A **device code phishing** campaign now includes **EvilTokens**, a **phishing-as-a-service** kit sold on **Telegram** that uses the **OAuth 2.0 device authorization flow** to hija...
TikTok for Business phishing campaign using Turnstile and reverse proxy
Campaign
H score31
First: 26.03.2026 16:09
Last: 26.03.2026 16:09
Sources 1
About this happening:
A **phishing campaign** is targeting **TikTok for Business accounts** and uses **Cloudflare Turnstile** to block automated analysis before exposing a **reverse-proxy** credential-...
TikTok for Business phishing campaign using Turnstile and reverse proxy
CampaignAbout this happening: A **phishing campaign** is targeting **TikTok for Business accounts** and uses **Cloudflare Turnstile** to block automated analysis before exposing a **reverse-proxy** credential-...
Timeline
-
14.07.2026 18:31 2 articles · 2h ago
LastPass and Bitwarden users targeted by fake DocuSign security notices
Initial DisclosureLastPass warned that an ongoing phishing campaign is sending fake security notices to LastPass and Bitwarden users, with emails sent from addresses such as '[email protected]' and '[email protected]' redirecting victims to lastpasscompliance[.]com and bitwardencompliance[.]com. The fraudulent pages impersonate DocuSign, present alleged policy changes or a document review flow, and may prompt users to download a file claiming to support both Windows and macOS. LastPass said its systems were not compromised and that the emails did not originate from its infrastructure, while Microsoft Defender for Office 365 and Cloudflare flagged lastpasscompliance[.]com as malicious.
Show sources
- LastPass, Bitwarden users targeted with fake security alerts — www.bleepingcomputer.com — 14.07.2026 18:31
- LastPass, Bitwarden users targeted with fake security alerts — www.bleepingcomputer.com — 14.07.2026 18:31