Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to intelligence
phishing-campaign-intelligencewidely-deployed-product-advisoryidentity-authentication-vulnerability

1Password Adds Copy-Paste Phishing Protection to Warn on Credential Entry to Lookalike Sites

Updated 2d agoFirst seen Jan 27, 20262 sources

1Password introduced a new phishing protection capability aimed at stopping users from entering credentials into fraudulent lookalike sites, particularly when users bypass autofill and instead copy/paste passwords. The feature checks whether the site a user is interacting with matches the saved login’s expected URL; if it does not, 1Password can warn the user before credentials are submitted, adding deliberate friction to reduce “momentary lapse” credential theft.

Reporting highlights that phishing kits and AI-assisted site creation are making realistic fake login pages easier to produce at scale, increasing the likelihood of users being tricked into credential entry. 1Password’s approach is to detect URL mismatches (e.g., typosquatted domains) and present an explicit warning/confirmation step when a user attempts to paste credentials into a site that doesn’t align with the vault record; pairing this with multi-factor authentication (MFA) is recommended to further reduce account takeover risk.

Share:
1Password Adds Copy-Paste Phishing Protection to Warn on Credential Entry to Lookalike Sites
Stay ahead

Get ahead of threats like this

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.

EVENT TIMELINE

How this story unfolded

2 events from the most recent confirmed update back to the earliest known activity.

2 EVENTS
Jan 26, 20265mo ago

1Password details rollout and admin controls for the new feature

1Password said the protection is planned to be enabled by default for individual and family users when released. For enterprise environments, administrators must turn it on through the Authentication Policy in the 1Password management console.

1Password announces anti-phishing paste/autofill protection

1Password announced a new security layer that checks whether a website’s URL matches the saved login record before allowing autofill or credential pasting. If the domain does not match, the product blocks autofill and shows a warning requiring explicit user confirmation before credentials can be pasted.

LINKED ENTITIES

Related entities

Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.

9 LINKEDOpen in app
Affected products
3 linked
1password1passwordWindows 11
Organizations
6 linked
1passwordZiff DavisOktaMeta PlatformsMicrosoft CorporationStripeOLT
The operational view lives in Mallory

See the full picture, correlated to your attack surface.

This page covers what’s public. Mallory adds the parts that aren’t — which of your assets are affected, which threat actors are using it right now, which detections to deploy, and what to do next.
Exposure mapping

Map indicators from this story to your assets and identify affected systems in minutes.

Threat actor evidence

Every observed campaign, victim, and pivot linked to actors named in this story.

Associated malware

Malware, exploits, and IOCs connected to the activity described here.

Detection signatures

YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.

Scheduled alerts

Get matching new stories delivered to your team as they break — not the next morning.

AI threads

Ask questions about this story and take action on the answers.