Blog
Recent
Threat Intel

LastPass alerts customers to active phishing campaign using lookalike domains; no impact to LastPass systems

LastPass alerts customers to active phishing campaign using lookalike domains; no impact to LastPass systems

LastPass Threat Intelligence, Mitigation, and Escalation (TIME) would like to alert our customers to an active phishing campaign identified on July 13, 2026. Phishing emails are being sent from hello@lastpassnewsletter.com with the subject line shown below, directing recipients to a fraudulent site likely designed to steal LastPass master passwords.

This is likely an attempt on the part of a threat actor to generate urgency and trick customers into handing over their credentials, which is a common social engineering tactic. LastPass systems are not affected.

 

Campaign Overview

The attacker registered two lookalike domains, lastpassnewsletter[.]com and lastpasscompliance[.]com, neither of which is affiliated with LastPass in any way. Emails sent from hello@lastpassnewsletter.com are designed to look like an official LastPass security notice, instructing recipients to review updated security policies via a provided link.

Image: Example of a phishing email sent from hello@lastpassnewsletter[.]com.

Clicking the link directs recipients to https[:]//lastpasscompliance[.]com/, a site impersonating a third-party service and prompting visitors to download software. The site has been confirmed malicious by Microsoft Defender for Office 365 and Cloudflare. We are investigating the nature of the download and will update this post as findings are confirmed.

Image: The phishing link redirects targets to a landing page that impersonates DocuSign.

The phishing site has been independently classified as malicious by Microsoft Defender for Office 365, which blocks the URL via SafeLinks, and by Cloudflare, which is currently serving a "Suspected Phishing" warning to anyone who navigates to the domain.

We are working with our partners to have these domains taken down as quickly as possible.

Known Sender and Subject Line

From:

hello@lastpassnewsletter.com

Subject:

Action Required: Review Updated LastPass Security Policies

What to Do

Please remember that no one at LastPass will ever ask for your master password.

If you received this email:

  • Do not click any links in the message.
  • Do not enter your credentials on any site you reached from this email.
  • If you did enter your master password on the phishing site, change it immediately from a trusted device at LastPass.com and review your vault for any unexpected activity.

As always, if you are ever unsure whether a LastPass-branded email is legitimate, please submit it to abuse@lastpass.com. We would like to thank the customers who have already flagged this campaign for their vigilance.

 

Indicators of Compromise

Malicious domains at time of publication:

  • lastpasscompliance[.]com — phishing site impersonating a LastPass account portal
    • Serving IP: 34.132.187.133 (Google Cloud Platform)
  • lastpassnewsletter[.]com — fraudulent sending domain used to deliver phishing emails
    • Sending IP: 54.240.9.8 (Amazon SES)

Sender address:

  • hello@lastpassnewsletter[.]com

Subject line:

  • Action Required: Review Updated LastPass Security Policies

SHA256 artifact hash:

  • 8ae49ed3cb1e076fd12eb1f5489f1be0c9be4264731b3afd4175cf3284bc1b79
     

This post will be updated as new information becomes available. For questions or to report a suspicious email, contact abuse@lastpass.com.

Share this post via:share on linkedinshare on xshare on facebooksend an email