Phishing Campaign Targeting 1Password Users

In early October 2025, cybersecurity researchers identified a phishing campaign targeting 1Password users, designed to steal credentials by impersonating legitimate breach alerts from the company’s Watchtower service. The emails were crafted to appear as urgent security notifications, claiming the recipient’s password had been exposed in a data breach and prompting them to “secure” their account via a malicious link. While visually convincing, the campaign relied on spoofed domains and typosquatted URLs to deceive users. One known target was a Malwarebytes employee, suggesting the attackers aimed at high-value individuals with access to multiple secured accounts.

Severity: High

Attack Vector And Delivery

The phishing email appeared to originate from watchtower[@]eightninety[.]com, imitating official 1Password communication. The message used urgent, trust-inducing language referencing 1Password’s legitimate Watchtower breach monitoring service, urging users to act quickly.

• Subject: “Your 1Password account has been compromised”
• Call-To-Action (CTA) Button: “Secure my account now”

Hovering over the CTA revealed a redirect link using mandrillapp[.]com, a legitimate Mailchimp service, which then directed victims to the fraudulent site onepass-word[.]com.

Phishing Infrastructure

• Sender Domain: eightninety[.]com (spoofed identity)
• Phishing Domain: onepass-word[.]com (typosquatted to mimic 1Password)
• Redirector: mandrillapp[.]com (legitimate service abused for redirection)

The phishing site hosted a fake 1Password login form, exfiltrating entered credentials directly to the attacker’s command infrastructure.

Attack Objective And Impact

• The attackers’ goal was credential harvesting specifically targeting 1Password master credentials.
• Compromising a single 1Password account could yield access to hundreds of stored logins, MFA keys, and sensitive personal or corporate data.
• If successful, the compromise could cascade into:
  • Corporate credential leaks across multiple systems
  • Account takeovers and data theft
  • Identity theft and social engineering opportunities

Recommendations

1. Verify all security notifications directly through the 1Password app or dashboard.
2. Enforce MFA for all accounts, especially password manager and identity management platforms.
3. Conduct phishing simulation campaigns focusing on breach alert and security notification themes.
4. Educate employees to:
   Verify URLs by hovering over links before clicking.
   Avoid entering credentials on unfamiliar or redirected sites.
   Always access password managers directly through known URLs or the official app.
5. Block the IOCs at their respective controls
   https://www.virustotal.com/gui/collection/dc5ee124eb81ce64e2bef7809693b1279f1e50ab3a67c0e0fcf28697e34d2af7/iocs

Iocs

Email ID: watchtower[@]eightninety[.]com
Domain: onepass-word[.]com
URL: https[:]//mandrillapp[.]com/track/click/30140187/onepass-word[.]com?p=

Source:

• https://www.malwarebytes.com/blog/news/2025/10/phishers-target-1password-users-with-convincing-fake-breach-alert
• https://www.hoax-slayer.com/p/use-1password-watch-for-these-dangerous

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.