Overview
- LastPass says a phishing campaign that began January 19 is impersonating maintenance notices to steal master passwords.
- Emails pressure recipients to create a local vault backup within 24 hours to create a false sense of urgency.
- Links in the lure open an AWS S3 page that redirects to a spoofed site at mail-lastpass[.]com.
- Reported sender addresses include support@sr22vegas[.]com and support@lastpass[.]server8, with similar variants and themed subject lines.
- LastPass published indicators of compromise, asked users to report to abuse@lastpass.com, and is coordinating takedowns, with some outlets observing the fake site offline.