A new phishing campaign is reportedly targeting password manager users, particularly LastPass and Bitwarden users. The scam involves the use of believable emails about security policy updates to lure users into fake websites.
These fake sites look like DocuSign pages. They try to get victims to download harmful files. Neither password manager company has been breached in this attack.
Scammers create urgency with fake policy updates
The phishing emails look very professional. They appear to be genuine messages from reputable companies. For LastPass users, the emails come from hello@lastpassnewsletter.com. The subject lines mention updated security policies that need your attention.
The email says you must review the new service terms. It talks about features like better monitoring and admin controls. You’re told to click a “Review & Access Terms” button to continue using your account.
But that button doesn’t go to LastPass. It leads to lastpasscompliance[.]com. The fake sites mirror the real DocuSign site, popular for signing documents online.
Bitwarden users are getting similar emails. These come from hello@bitwardennewsletter.com. They redirect people to bitwardencompliance[.]com. The fake DocuSign experience looks the same for both brands.
Meanwhile, these kinds of tricks aren’t new. LastPass actually warned users about similar phishing attempts back in January and March 2026. The attackers keep using what works. They know people panic when they see urgent security messages.
Fake DocuSign pages push harmful downloads
The fake websites don’t ask you to sign anything. Instead, they try to get you to download a file. The file reportedly works on both Windows and Mac computers.
LastPass couldn’t confirm exactly what was in the downloaded file. The bad actors took down the malicious website before they could finish their investigation. But the company strongly warned people not to download anything from these sites.
Security tools like Microsoft Defender and Cloudflare already flagged these domains as dangerous. This helped many organizations block access before more people fell victim. The fake sites even had a live chat feature. It’s not clear if anyone was actually on the other end.
No security breach at either company
Here’s the important thing to remember. Neither LastPass nor Bitwarden got hacked. Their systems remain completely secure.
LastPass warned that those emails aren’t from them. Scammers just registered domains that look almost identical to real company websites. Usually, they do so by introducing deliberate typos in the address.
For example, they could maybe swap the small letter “L” with the capital letter “I,” a trick referred to as typosquatting. They’re betting people are not paying close attention to notice the difference.
Bitwarden has also shared helpful guidance. They told customers which email addresses are legitimate. Real automated emails come from addresses ending in @bitwarden.com. For example, no-reply@bitwarden.com is a safe sender.
The company also said they never ask users to download files through unknown links. LastPass confirmed that hello@lastpassnewsletter.com is not one of their official addresses. They told customers to quarantine any messages from that sender.
Why password managers are prime targets
Password managers are the gatekeepers to your entire digital world. Most of us trust them with dozens, maybe even hundreds, of login details. That’s what makes them very valuable to hackers.
Instead of going after the companies behind these tools, a lot of attackers go for the users themselves. The broader debate over digital privacy and security is intensifying, and the UK government is pushing for mass scanning of encrypted messages.
It’s usually much easier for them, and the payoff is huge. If they steal your master password, they pretty much have the keys to every account you’ve stored.
This campaign goes to show how the trend in online scams is changing. Scammers are now using trusted services like DocuSign in their attacks. People recognize the branding and let their guard down. This scam looks much more convincing compared to a fake login page.
Targeting both LastPass and Bitwarden, two top password managers, tells you this isn’t just a small-time trick. It’s a big operation. Instead of zeroing in on one company, they’re throwing a wider net to catch more people.
Steps to stay safe
If you ever receive a security alert you weren’t expecting, no matter which company it’s from, treat it as suspicious.
Double-check the domain name from which you receive such emails. Even small differences in spelling can mean the message is from hackers. Do not follow links in such emails. Always launch the password manager via its app or site. Save the link to your password manager site in bookmarks for convenience.
Also, if you have already downloaded some files from one of these scammer pages, disconnect your device from your important accounts immediately. Scan your computer to identify any infections. Change your master password using another device.
Even the companies themselves should be on the lookout for these imposter domains. Teach your staff how to recognize phishing attacks. Make them understand that scammers use the names of trusted software vendors frequently.