You are currently viewing Hackers Turn AWS Buckets into LastPass Phishing Lures to Steal Vault Credentials

Hackers Turn AWS Buckets into LastPass Phishing Lures to Steal Vault Credentials

  • Post author:
  • Reading time:4 mins read

Executive Summary

An ongoing phishing campaign is impersonating LastPass and abusing Amazon S3–hosted URLs as the first redirect hop to a fake LastPass domain, attempting to harvest victims’ master passwords and vault access. The operation—active since Jan 19, 2026 (US holiday weekend)—pushes emails urging recipients to “Create Backup Now” ahead of “scheduled maintenance,” then redirects from an AWS S3 object to mail-lastpass[.]com, a look-alike site controlled by the attackers. LastPass’ Threat Intelligence, Mitigation, and Escalation (TIME) team publicly disclosed the campaign on Jan 20, 2026, sharing specific sender addresses, subjects, and network indicators, and reiterating that LastPass will never ask for your master password via email.

The lure emails leverage urgency and polished HTML to drive clicks, a pattern confirmed by independent outlets. Multiple reports document the AWS S3 URL group-content-gen2.s3.eu-west-3.amazonaws[.]com/5yaVgx51ZzGf redirecting to mail-lastpass[.]com.

Background on the Campaign

LastPass warns that adversaries are sending maintenance-themed emails from several plausible-looking addresses and subject lines like “LastPass Infrastructure Update: Secure Your Vault Now” and “Protect Your Passwords: Backup Your Vault (24-Hour Window)”. The messages claim users must back up their vaults within 24 hours, a classic social-engineering tactic to force immediate action.

Attack / Phishing Details

Email Themes & Senders

  • Themes: Maintenance + 24-hour backup urgency; “infrastructure update”; “vault security” reminders.
  • From addresses: support@sr22vegas[.]com, support@lastpass[.]server8, support@lastpass[.]server7, support@lastpass[.]server3.
  • Subjects:
    • LastPass Infrastructure Update: Secure Your Vault Now”,
    • Protect Your Passwords: Backup Your Vault (24-Hour Window)”,
    • Don’t Miss Out: Backup Your Vault Before Maintenance”.
    • Your Data, Your Protection: Create a Backup Before Maintenance“.
    • Important: LastPass Maintenance & Your Vault Security“.

Redirect & Hosting Flow

  1. Victim clicks “Create Backup Now” in the phishing email.
  2. Browser lands on an AWS S3 object:
    group-content-gen2.s3.eu-west-3.amazonaws[.]com/5yaVgx51ZzGf (served at 52.95.155[.]90 at time of posting).
  3. The S3 object redirects to the attacker domain mail-lastpass[.]com (observed IPs: 104.21.86[.]78, 172.67.216[.]232, 188.114.97[.]3).
  4. Phishing site prompts for LastPass credentials/master password, aiming to hijack the vault.

Timing & Evasion

  • Campaign began on/around Jan 19, 2026, a U.S. holiday weekend—tactic to delay detection/response.
  • Polished copy and layout increase plausibility; multiple independent outlets corroborate the lures.

Misconfiguration Details

The attackers did not exploit a LastPass internal misconfiguration.
Instead, they leveraged misconfigurations and weak security controls in their own malicious infrastructure to carry out the attack. Attackers leveraged the fact that the S3 bucket was misconfigured to allow public web access, enabling it to host and serve malicious pages. The phishing emails link to an Amazon S3–hosted phishing page before redirecting to a fake LastPass website. This is classic S3 bucket public-read misconfiguration, which allows attackers to upload and serve malicious HTML content directly from AWS infrastructure.

  • CSPM_ID: CSPM-AWS-2024-0164
  • Severity: Critical
  • Misconfiguration used: The S3 bucket was misconfigured to allow public web access
  • Affected service: S3
  • Affected resource: Buckets
  • Remediation (REM-AWS-2024-0526): Enable Block Public Access for S3 Bucket (Automatically enables all four S3 Block Public Access settings on the specified bucket to prevent unauthorized public access)

Tactics and Techniques

  • T1566.002 – Phishing: Spearphishing Link: Maintenance-themed emails with urgent 24-hour backup CTA.
  • T1583.006 – Acquire Infrastructure: Web Services: Adversaries leveraging AWS S3 for redirect/hosting to gain trust and resilience.

Visual: Attack Flow 

[Phish Email: “Create Backup Now”]-> [AWS S3 Object (eu-west-3): group-content-gen2.s3.../5yaVgx51ZzGf] -> [Redirect --> mail-lastpass[.]com (Cloudflare IPs)] -> [Fake LastPass page -> prompt for master password] -> [Account takeover / vault compromise risk]

Mitigation Steps

Attackers used a misconfigured, publicly exposed S3 bucket to host phishing content. As this resource belongs to the attacker, it cannot be remediated by the victim; instead, network controls should block such malicious cloud-hosted content

  • Block access to known malicious S3 URLs
  • Detect traffic to unknown S3 buckets
  • Enhance user awareness & phishing detection
  • Email filtering for spoofed maintenance messages
  • Domain monitoring + quick takedown of phishing pages