Back to Intelligence

Active Phishing Campaign Targeting LastPass & Bitwarden: Detection and Hardening

SA
Security Arsenal Team
July 15, 2026
6 min read

Introduction

Security operations centers (SOCs) and security leaders must immediately heighten awareness regarding an active social engineering campaign specifically targeting users of LastPass and Bitwarden. Recent intelligence confirms that attackers are distributing fake security alerts—designed to mimic urgent system notifications—intended to panic users into clicking through to fraudulent websites.

This is not a theoretical risk; we are seeing active credential harvesting attempts aimed at capturing master passwords. For organizations relying on these password managers, a single compromised master password leads to a wholesale breach of the vault. Defenders must act now to detect malicious redirection attempts and verify the integrity of user browser sessions.

Technical Analysis

Affected Products:

  • LastPass (Browser Extensions & Web Vault)
  • Bitwarden (Browser Extensions & Web Vault)

Attack Vector: Social Engineering (Phishing/Smishing)

The attack chain involves the distribution of "fake security notices." These alerts often claim unauthorized access attempts or critical security updates requiring immediate user intervention.

  1. Initial Contact: Users receive a notification via email or SMS (Smishing) containing a sense of urgency.
  2. The Hook: The notification includes a link to a "security portal" or "verification page." These URLs frequently employ typosquatting (e.g., lastpass-security.com or bitwarden-verify.net) to appear legitimate.
  3. Credential Harvesting: The landing page is a high-fidelity clone of the legitimate login portal.
  4. Objective: The goal is to harvest the Master Password. In many cases, these phishing kits are sophisticated enough to proxy the request to the real API, bypassing simple 2FA checks if the user does not verify the URL certificate meticulously.

Exploitation Status: Confirmed Active Exploitation. This is a human-operated campaign leveraging social engineering rather than a software vulnerability, meaning traditional vulnerability scanners will miss this threat.

Detection & Response

The following detection logic focuses on identifying the behavioral indicators of this campaign: suspicious browser launches initiated by mail clients (the "click") and network connections to typosquatted domains.

Sigma Rules

YAML
---
title: Potential Phishing Click - Browser Spawned by Mail Client
id: 8a2c3d12-4b5e-6a78-9b0c-1d2e3f4a5b6c
status: experimental
description: Detects browser processes spawned directly by email clients, a common behavior when users click phishing links.
references:
  - https://attack.mitre.org/techniques/T1566/
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.initial_access
  - attack.t1566
logsource:
  category: process_creation
  product: windows
detection:
  selection_parent:
    ParentImage|endswith:
      - '\outlook.exe'
      - '\thunderbird.exe'
      - '\winmail.exe'
  selection_child:
    Image|endswith:
      - '\chrome.exe'
      - '\msedge.exe'
      - '\firefox.exe'
      - '\brave.exe'
  condition: selection_parent and selection_child
falsepositives:
  - Legitimate users clicking links in newsletters
level: low
---
title: Connection to Potential Typosquatted Password Manager Domains
id: 9c3d4e23-5c6f-7b89-0c1d-2e3f4a5b6c7d
status: experimental
description: Detects network connections to domains containing password manager brand names but using unofficial TLDs or structures often used in phishing.
references:
  - https://attack.mitre.org/techniques/T1566/
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.credential_access
  - attack.t1056
logsource:
  category: network_connection
  product: windows
detection:
  selection_brand:
    DestinationHostname|contains:
      - 'lastpass'
      - 'bitwarden'
  filter_legit:
    DestinationHostname|endswith:
      - '.lastpass.com'
      - '.bitwarden.com'
  filter_internal:
    DestinationIp|startswith:
      - '10.'
      - '192.168.'
      - '172.16.'
  condition: selection_brand and not filter_legit and not filter_internal
falsepositives:
  - Internal tools referencing vendor names
  - Legitimate partner reseller domains
level: high

KQL (Microsoft Sentinel / Defender)

This query hunts for network events where a device connects to a domain mimicking LastPass or Bitwarden but is not the official vendor domain.

KQL — Microsoft Sentinel / Defender
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has_any ("lastpass", "bitwarden")
| where RemoteUrl !endswith ".lastpass.com" 
| where RemoteUrl !endswith ".bitwarden.com"
| where RemoteUrl !startswith "10." and RemoteUrl !startswith "192.168." and RemoteUrl !startswith "172.16."
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP, RemotePort
| summarize count() by RemoteUrl, DeviceName
| order by count_ desc

Velociraptor VQL

This artifact hunts for active network connections on Linux/Windows endpoints that match the suspicious domain patterns associated with this campaign.

VQL — Velociraptor
-- Hunt for connections to suspicious domains mimicking password managers
SELECT Fqdn, RemoteAddress, Pid, ProcessName, Username
FROM listen_sockets()
WHERE Fqdn =~ 'lastpass' 
   OR Fqdn =~ 'bitwarden'
   AND NOT Fqdn =~ '.lastpass.com$'
   AND NOT Fqdn =~ '.bitwarden.com$'

Remediation Script (PowerShell)

This script performs a forensic check of installed Chrome and Edge extensions. It verifies that extensions identifying as "LastPass" or "Bitwarden" match the official Developer IDs. If a malicious extension is installed (a common delivery vector for fake alerts), it will be flagged.

PowerShell
# Audit Password Manager Extensions for Tampering
# Official IDs LastPass: hdokiejnpimakedhajhdlcegeplioahd
# Official IDs Bitwarden: nngceckbapebfimnlniiiahkandclblb (Chrome), jbkfoedolllekgbhcbcoahefnbanhhlh (Edge)

$ChromePath = "$env:LOCALAPPDATA\Google\Chrome\User Data\Default\Extensions"
$EdgePath = "$env:LOCALAPPDATA\Microsoft\Edge\User Data\Default\Extensions"
$KnownIDs = @(
    "hdokiejnpimakedhajhdlcegeplioahd", # LastPass Chrome
    "nngceckbapebfimnlniiiahkandclblb", # Bitwarden Chrome
    "jbkfoedolllekgbhcbcoahefnbanhhlh"  # Bitwarden Edge
)

Write-Host "[+] Auditing Password Manager Extension Integrity..."

$Paths = @($ChromePath, $EdgePath)
foreach ($BasePath in $Paths) {
    if (Test-Path $BasePath) {
        Get-ChildItem $BasePath -Directory | ForEach-Object {
            $ExtID = $_.Name
            $VersionPath = "$($_.FullName)\*\manifest."
            $ManifestFile = Get-ChildItem $VersionPath -ErrorAction SilentlyContinue
            
            if ($ManifestFile) {
                try {
                    $Manifest = Get-Content $ManifestFile.FullName | ConvertFrom-Json
                    $Name = $Manifest.name
                    
                    # Check if it claims to be a target vendor
                    if ($Name -match "LastPass" -or $Name -match "Bitwarden") {
                        if ($KnownIDs -notcontains $ExtID) {
                            Write-Host "[!] ALERT: Suspicious Extension Found!" -ForegroundColor Red
                            Write-Host "    Name: $Name"
                            Write-Host "    ID:   $ExtID (Expected official ID not found)"
                            Write-Host "    Path: $($_.FullName)"
                        } else {
                            Write-Host "[+] Verified: $Name (ID: $ExtID)" -ForegroundColor Green
                        }
                    }
                } catch {
                    # Error reading manifest, likely corrupted or obfuscated
                    Write-Host "[?] Warning: Could not read manifest for $ExtID" -ForegroundColor Yellow
                }
            }
        }
    }
}
Write-Host "[+] Audit Complete."

Remediation

  1. Block Typosquatted Domains: Immediately update your secure web gateways (SWG) and DNS filters to block domains containing "lastpass" or "bitwarden" that do not explicitly end in .lastpass.com or .bitwarden.com.
  2. User Education (Specific): Alert your user base to this specific campaign. Explicitly state: "LastPass and Bitwarden will never ask for your master password via a link in an email or SMS." Users should only log in via their trusted bookmark or the official application.
  3. Audit Extensions: Execute the provided PowerShell script across your fleet to ensure no malicious browser extensions have been installed that might be injecting these fake security alerts.
  4. Review MFA Logs: Correlate successful authentication attempts with the IP addresses and User-Agents. Look for successful logins immediately following a connection to a suspicious domain identified in the KQL hunt.
  5. Incident Response: If a user confirms they clicked a link and entered credentials, force-reset their master password immediately and perform a full review of the vault export logs (if available via the vendor admin console) to check for bulk data exfiltration.

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub

mdrthreat-huntingendpoint-detectionsecurity-monitoringlastpassbitwardenphishingsocial-engineeringcredential-harvesting

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.