In an effort to inform and defend customers, LastPass warned that there had been reports of a Phishing email that was being sent to users using the LastPass platform. The email purports to be from LastPass and contained malicious links which directed recipients to update their master password. It is important to note that despite this email being phishing, LastPass has already stated that they are working  to take down the malicious domains that are being used to send these emails. While LastPass did not include the link in its post, for obvious safety reasons, these attacks are common and tend to follow a specific attack pattern.  
 
Phishing Attempt to Steal LastPass Master Password

Source: LastPass

When clicked by an unsuspecting user, the link often directs users to a webpage that appears to look legitimate where the targeted users are prompted to input their credentials. Doing so can result in the user's personal data being accessed, stolen, or sent in an unauthorized manner. Once the bad actor has access to the credentials of the user, they are often able to take control by changing the credentials and locking the user out, or even potentially selling access to the account to other bad actors.

Email recipients need to take these threats seriously, while people also need to make sure they are safe when using any product that sends them an email, they also should be able to identify whether an email is one that is innocent or malicious and the types of methods and identifiers that set them apart. In this attack, the malicious emails were sent using the email address(es) “do-not-reply-support[@]lastpass.ch”, “do-not-reply-support[@]lastpassinc.com” or “do-not-reply-support[@]lastpasses.net” with the subject line “LastPass – Adaptive Protection Alert”.

Users should be weary about receiving an email message containing a link to a URL and should never click on the link if there is a question about it's validity. Instead, we encourage people to remember to open links in a web browser instead, and to always check before opening any attachment. End user Security Awareness Training can help your organization protect your employees through training on how to identify malicious emails and safe email procedures as well as testing to measure the effectiveness of the training over time.