Incident analysis revealed the use of 1Password’s branding, phrasing, and urgency cues, including legitimate support links, leading to the “secure my account now” button that landed victims on a credential-stealing page on a typosquatted domain.
Flawed yet a convincing fake
The fake email came from “watchtower@eightninety[.]com,” an address that at first glance looked authentic. The embedded link even used Mandrillapp, a Mailchimp service often seen in genuine corporate emails, before redirecting users to “onepassword[.]com”, a deceptive look-alike domain.
Adding a layer of realism, the “Contact us” link routed to the real 1Password support page via the same Mandrill redirect. The fake email shared by Malwarebytes displayed generic alert messages like ”Your 1Password account password has been compromised” and “Take action immediately”.