Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Malware

1Phish

1Phish is an evolving, multi-stage phishing kit/campaign targeting 1Password users. Reporting describes its progression from a basic credential-harvesting HTML page (first observed September 2025) into an MFA-aware, anti-analysis phishing framework by February 2026.

High-confidence behaviors and capabilities described:

  • Targeting and lures: Uses typosquatted domains impersonating legitimate 1Password login pages; Malwarebytes (Oct 2025) reported breach-themed email lures claiming the recipient’s 1Password account was compromised.
  • Credential theft: Early variants posted captured credentials to a /login endpoint.
  • MFA/OTP and recovery-code capture: Later versions explicitly collect one-time passcodes (OTPs) (e.g., POST /submit-2fa in Version 3; POST /api/session/{id}/otp in Version 4) and, in Version 4, collect 1Password recovery codes (accepting codes prefixed with “1PRK”).
  • Multi-stage workflow and gating: Version 3 introduced a “Security Check - 1Password” pre-validation step that fingerprints the client and posts to /validate; the /validate response returns JSON fields (success, redirect) used to gate access, and sets a validated_user_1pass cookie. Version 4 adds additional access validation and session management via a REST-style backend.
  • Fingerprinting and bot filtering: Version 2 introduced browser fingerprinting/bot detection and Cloudflare challenges, including checks for automation artifacts (Selenium, Puppeteer, PhantomJS), plugin enumeration, and WebGL fingerprinting; telemetry was exfiltrated via a clid= query parameter. Version 2 also showed indicators of HideClick cloaking (e.g., hideclick:ignore cookie and an exposed debug page). Version 3 expanded fingerprinting (screen/window metrics, DPR, platform, hardwareConcurrency, deviceMemory, touch points, languages, DNT, timezone, canvas and WebGL/GPU). Version 4 includes JavaScript obfuscation and a bot scoring/suspicion gating system.
  • Enterprise/team targeting: Version 4 added a team sign-in flow for custom subdomains (e.g., company.1password.com).
  • Internationalization: Version 4 supports 10 languages (de, es, fr, it, ja, ko, nl, pt, ru, en) with auto-detection via URL parameters, localStorage, or navigator.language.

Infrastructure/artifacts and IOCs explicitly mentioned:

  • Observed Version 4 domains: signin-1psswoord[.]com and on-pssword[.]com.
  • Noted infrastructure patterns: Cloudflare fronting was observed for 10 of 11 domains in the report; one hosting outlier mentioned was 1passwords[.]co.
  • Version 4 API endpoints described: POST /api/init-session; GET /api/session/{id}; POST /api/session/{id}/credentials; POST /api/session/{id}/otp; POST /api/session/{id}/recovery; POST /api/session/{id}/region; POST /api/fingerprint; POST /api/validate-access.

Assessment notes included in the content:

  • The report states it did not observe direct evidence of reverse-proxy infrastructure or automated session hijacking for 1Phish, but assesses that explicit OTP/2FA collection is consistent with real-time authentication attempts or session replay workflows.
  • The activity is described as an actively maintained kit with shared artifacts and infrastructure reuse across multiple domains; it is not confirmed whether it is operated by a single actor or distributed as a shared kit/PhaaS.
  • 1Password is aware of the campaign and has monitored domains and pursued takedowns of lookalike sites.
Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

MITRE ATT&CK

Techniques & procedures

6 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

2 techniques
T1566PhishingEvidence1

“Datadog team looks at 1Phish… targeting 1Password users… staged credential harvesting, and MFA support…”

T1566.002Spearphishing LinkEvidence2

“breach-themed email lures… directed victims to typosquatted domains impersonating legitimate 1Password login pages… capturing usernames and passwords through… phishing forms.”

Stealth

2 techniques
T1027Obfuscated Files or InformationEvidence1

“Partial JavaScript obfuscation… Version 4… JavaScript obfuscation… suppresses console output and locks the page if analysis tools are detected.”

T1497Virtualization/Sandbox EvasionEvidence1

“Anti-automation and browser fingerprinting logic… Cloudflare challenges… using the service HideClick to manage their bot detection and filtering… serving a harmless ‘white page’ to investigators while delivering the actual content to verified victims.”

Credential Access

1 technique
T1111Multi-Factor Authentication InterceptionEvidence1

“Dedicated support for capturing one-time passcodes (OTPs)… If the backend responds with data.step === '2fa'… dynamically replaces the form with a 2FA input… POST to /submit-2fa.”

Discovery

2 techniques
T1082System Information DiscoveryEvidence1

“fingerprint the client and send that data to a validation endpoint… collects… screen… platform… hardwareConcurrency… deviceMemory… languages… canvasHash… WebGL/GPU… plugin enumeration… POST request to /validate… /api/fingerprint… /api/validate-access.”

T1497Virtualization/Sandbox EvasionEvidence1

“Anti-automation and browser fingerprinting logic… Cloudflare challenges… using the service HideClick to manage their bot detection and filtering… serving a harmless ‘white page’ to investigators while delivering the actual content to verified victims.”

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping6

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.