"LastPass emphasizes that its systems have not been compromised and that the phishing emails did not originate from its infrastructure," the company told customers as it warned of an ongoing campaign that uses fake security notices to direct users to fraudulent websites.
LastPass warning: what the emails say
LastPass reported a targeted phishing campaign that sends messages crafted to look like legitimate corporate communications. The emails — sent from the address 'hello@lastpassnewsletter.com' — notify recipients of alleged service policy changes, including claims about enhanced SaaS monitoring, master password reset options for administrators, and improvements to the admin console. Each message includes a prominent "Review & Access Terms" button intended to lure recipients to a malicious landing page.
DocuSign impersonation and the malicious domain
Clicking the button in the fraudulent email redirects users to a site impersonating DocuSign, the electronic document service. The domain used by the attackers was lastpasscompliance[.]com, which Microsoft Defender for Office 365 and Cloudflare have flagged as malicious. LastPass said it could not confirm the ultimate goal of the campaign but noted the fake site prompted users to download a file claiming to support both Windows and macOS. The site also offered live support via a chat box, though LastPass said it was unclear whether that chat function was operational. At the time of writing, the malicious website had been taken offline.
Bitwarden users targeted with parallel messages
Security reporter BleepingComputer found that Bitwarden customers received similar emails originating from 'hello@bitwardennewsletter.com' that redirected to bitwardencompliance[.]com. The structure and lure mirror the LastPass-targeted messages: notifications of policy or service changes that steer recipients toward a DocuSign-like landing page and a requested download.
Past waves: January and March campaigns
This activity follows previous phishing waves that also impersonated LastPass. In March, the company warned of fake unauthorized account-access alerts that used fabricated communication threads to create urgency and drive users toward risky actions that could expose data. In January, LastPass flagged another campaign in which users were told they needed to back up their vaults within 24 hours because of alleged system maintenance. Across these incidents, LastPass has reiterated that it will never ask users for their master password and has urged customers to report suspicious communications to abuse@lastpass.com.
What this means for end users and security teams
- End users: If you entered credentials on one of the phishing sites, LastPass advises changing your master password immediately from a trusted device and reviewing your vault for suspicious activity. Do not provide your master password in response to email prompts; LastPass says it will never request that information.
- Security teams and defenders: The campaign underscores the continued use of brand impersonation and look-alike domains to bypass user caution. The Picus whitepaper cited in the reporting notes that "security teams log 54% of successful attacks and alert on just 14%," a statistic that highlights gaps in detection and the value of validating alerting and response controls against phishing scenarios like these.
LastPass has been explicit that the phishing messages did not originate from its own infrastructure, but the attackers used domains designed to appear as legitimate company services. BleepingComputer's reporting and the takedown of the active landing page close this chapter for now, but the company has not confirmed the attackers' motive beyond the immediate lure to download files or submit credentials.
The immediate, concrete steps are clear in LastPass's own guidance: treat unexpected security-policy notices skeptically, report suspicious mail to abuse@lastpass.com, and if you believe you have been phished, change master credentials from a trusted device and audit your vault. The unanswered operational question left in the record is whether the downloads distributed via the fraudulent DocuSign impersonation were designed to harvest credentials, deliver malware, or both — a point LastPass could not confirm.




