LastPass Warns Users of Fake Maintenance Emails Aimed at Stealing Master Passwords

Password manager provider LastPass has issued a fresh warning to users after identifying a phishing campaign designed to trick them into handing over their master passwords. The campaign relies on convincing maintenance-themed emails that attempt to create urgency and push recipients toward attacker-controlled websites masquerading as legitimate LastPass services.

According to the company, the messages falsely claim that immediate action is required to prevent account disruption. Users who follow the links are taken through a carefully staged redirection flow that ultimately leads to a fraudulent site designed to harvest credentials.

How the Phishing Campaign Works

The phishing emails direct users to a hosted page located at a cloud storage URL, specifically “group-content-gen2.s3.eu-west-3.amazonaws[.]com/5yaVgx51ZzGf.” From there, victims are silently redirected to a lookalike domain, “mail-lastpass[.]com,” which is crafted to resemble a legitimate LastPass login portal.

This multi-step redirection technique helps attackers bypass basic filtering controls and makes the campaign appear more credible to users who may only notice the final destination. Once on the fake page, victims are prompted to enter their master password under the guise of routine maintenance verification.

Abuse of Trust and Brand Familiarity

LastPass emphasized that it will never ask users to share their master passwords, regardless of the situation. The company noted that the attackers are deliberately abusing brand familiarity and trust built around security tools, which many users instinctively rely on to protect sensitive information.

The emails are designed to appear operational rather than promotional, using language associated with service outages, upgrades, or urgent security checks. This framing increases the likelihood that users will act quickly without verifying the authenticity of the request.

Email Infrastructure Linked to the Campaign

As part of its disclosure, LastPass shared several sender addresses associated with the phishing messages. These include support@sr22vegas[.]com and multiple domains styled to resemble official LastPass infrastructure, such as support@lastpass[.]server8, support@lastpass[.]server7, and support@lastpass[.]server3.

While none of these domains are operated by LastPass, their naming conventions are intended to lower suspicion and give the impression of internal support communications.

False Urgency as a Core Tactic

A spokesperson from LastPass’s Threat Intelligence, Mitigation, and Escalation team stated that the campaign is built around manufactured urgency, a technique that remains one of the most effective tools in phishing attacks. By pressuring users to act quickly, attackers reduce the likelihood that recipients will pause to validate the message.

This approach continues to be effective even among security-conscious users, particularly when messages reference account security or service availability.

Response and Mitigation Efforts

LastPass confirmed that it is actively working with third-party partners to identify and dismantle the malicious infrastructure supporting the campaign. Efforts include takedown requests for phishing domains and coordination with hosting providers to disrupt the attack chain.

Users are advised to remain cautious of unsolicited emails, avoid clicking embedded links, and access LastPass services only through official applications or bookmarked URLs. The incident serves as a reminder that even security tools themselves are now prime targets for sophisticated social engineering campaigns.