Phishing Attack Targets LastPass Users via Fake Support Emails
A new phishing campaign targeting LastPass users has been detected, beginning around March 1, 2026. According to LastPass Threat Intelligence, Mitigation, and Escalation (TIME), attackers are sending fraudulent emails that impersonate LastPass support staff.
The goal of these emails is to trick users into revealing sensitive login information by making the messages look like internal notifications about suspicious account activity.
This type of attack is a classic example of social engineering, where cybercriminals create a sense of urgency to pressure users into reacting quickly without verifying the message.
Table of Contents
How the Attack Works
The phishing emails are designed to look as though they were forwarded from another person and warn about unauthorized actions on the recipient’s LastPass account. These actions may include exporting the vault, starting a full account recovery, or registering a new trusted device.
Attackers are using display-name spoofing, which makes the sender appear to be from LastPass even though the actual email address is unrelated to the company. Many email applications—especially on mobile devices—show only the display name, hiding the real sender address. This makes it easier for attackers to deceive users.
The emails urge recipients to take immediate action, such as reporting suspicious activity, locking their vault, or revoking device access. They contain links that lead to a fake Single Sign-On (SSO) login page hosted on a malicious website.
This phishing page closely resembles the legitimate LastPass login screen, making it easy for unsuspecting users to enter their credentials.
Important Reminder from LastPass
LastPass emphasizes that it will never ask users for their master password through email or any other communication.
If you receive an email that appears suspicious, you should submit it to LastPass for verification.
Although the company is working with third-party partners to shut down the phishing websites as quickly as possible, users are encouraged to stay vigilant and follow security best practices.
If you are unsure about an email, do not click on any links or provide personal information. Instead, go directly to the official LastPass website and log in from there.
Indicators of Compromise (IOCs)
Security teams have identified several malicious URLs and IP addresses connected to this campaign:
Malicious URL:
- http://verify-lastpass[.]com/login?13 – Primary phishing page
- Variations of the same URL exist with different numbers (e.g., login?14, login?12) that redirect to the same phishing site.
Malicious IP Addresses:
- 172.67.200.82
- 104.21.21.204
- 52.102.103.4
These domains and IP addresses are part of the attackers’ infrastructure and are used to redirect victims to the fake login page.
LastPass advises customers to stay alert and report any suspicious emails or activity. The company is actively monitoring the situation and working to remove the phishing sites as quickly as possible.
“Phishing attacks don’t break systems—they exploit human trust. Awareness is often the strongest defense.”