Phishing Campaign Exploiting LastPass via AWS S3 Misconfiguration
A recent phishing attack impersonating LastPass has been actively targeting users since January 19, 2026. The campaign, disclosed by LastPass’ Threat Intelligence, Mitigation, and Escalation (TIME) team, utilizes Amazon S3-hosted URLs to redirect victims to a fraudulent site aimed at harvesting their master passwords and vault access.
The attack begins with emails containing urgent messages that prompt recipients to back up their vaults before a supposed “scheduled maintenance.” These messages, sent from various spoofed addresses, leverage social engineering techniques to instill fear and urgency. Independent reports have confirmed that the redirect URL, hosted on an AWS S3 bucket, leads victims to a look-alike site (mail-lastpass[.]com) designed to capture sensitive credentials.
Notably, the attackers exploited a misconfigured S3 bucket that allowed public web access, enabling them to serve malicious content. By redirecting users from an AWS-hosted page to the phishing site, the attackers increased their credibility; such tactics can significantly delay detection efforts. The phishing emails, crafted with polished HTML, typically feature themes like “Infrastructure Update” and “Vault Security” to further trick users into compliance.
The significance of this phishing campaign cannot be overstated. It highlights the ongoing risks posed by phishing attacks, particularly those that exploit cloud service misconfigurations. Organizations must remain vigilant against these threats, as the consequences can lead to unauthorized access to sensitive information and potential breaches.
Effective measures to mitigate risks include using threat intelligence to identify malicious S3 URLs, enhancing email filters for suspected phishing messages, and conducting user awareness training. Implementing strict network controls that block unauthorized access to potentially malicious cloud resources is also crucial.
Indicators of Compromise (IOCs):
- Malicious URL: group-content-gen2.s3.eu-west-3.amazonaws[.]com/5yaVgx51ZzGf
- Phishing domain: mail-lastpass[.]com
- Attack infrastructure IPs: 104.21.86[.]78, 172.67.216[.]232, 188.114.97[.]3
