1Phish
1Phish is an evolving, multi-stage phishing kit/campaign targeting 1Password users. Reporting describes its progression from a basic credential-harvesting HTML page (first observed September 2025) into an MFA-aware, anti-analysis phishing framework by February 2026.
High-confidence behaviors and capabilities described:
- Targeting and lures: Uses typosquatted domains impersonating legitimate 1Password login pages; Malwarebytes (Oct 2025) reported breach-themed email lures claiming the recipient’s 1Password account was compromised.
- Credential theft: Early variants posted captured credentials to a /login endpoint.
- MFA/OTP and recovery-code capture: Later versions explicitly collect one-time passcodes (OTPs) (e.g., POST /submit-2fa in Version 3; POST /api/session/{id}/otp in Version 4) and, in Version 4, collect 1Password recovery codes (accepting codes prefixed with “1PRK”).
- Multi-stage workflow and gating: Version 3 introduced a “Security Check - 1Password” pre-validation step that fingerprints the client and posts to /validate; the /validate response returns JSON fields (success, redirect) used to gate access, and sets a validated_user_1pass cookie. Version 4 adds additional access validation and session management via a REST-style backend.
- Fingerprinting and bot filtering: Version 2 introduced browser fingerprinting/bot detection and Cloudflare challenges, including checks for automation artifacts (Selenium, Puppeteer, PhantomJS), plugin enumeration, and WebGL fingerprinting; telemetry was exfiltrated via a clid= query parameter. Version 2 also showed indicators of HideClick cloaking (e.g., hideclick:ignore cookie and an exposed debug page). Version 3 expanded fingerprinting (screen/window metrics, DPR, platform, hardwareConcurrency, deviceMemory, touch points, languages, DNT, timezone, canvas and WebGL/GPU). Version 4 includes JavaScript obfuscation and a bot scoring/suspicion gating system.
- Enterprise/team targeting: Version 4 added a team sign-in flow for custom subdomains (e.g., company.1password.com).
- Internationalization: Version 4 supports 10 languages (de, es, fr, it, ja, ko, nl, pt, ru, en) with auto-detection via URL parameters, localStorage, or navigator.language.
Infrastructure/artifacts and IOCs explicitly mentioned:
- Observed Version 4 domains: signin-1psswoord[.]com and on-pssword[.]com.
- Noted infrastructure patterns: Cloudflare fronting was observed for 10 of 11 domains in the report; one hosting outlier mentioned was 1passwords[.]co.
- Version 4 API endpoints described: POST /api/init-session; GET /api/session/{id}; POST /api/session/{id}/credentials; POST /api/session/{id}/otp; POST /api/session/{id}/recovery; POST /api/session/{id}/region; POST /api/fingerprint; POST /api/validate-access.
Assessment notes included in the content:
- The report states it did not observe direct evidence of reverse-proxy infrastructure or automated session hijacking for 1Phish, but assesses that explicit OTP/2FA collection is consistent with real-time authentication attempts or session replay workflows.
- The activity is described as an actively maintained kit with shared artifacts and infrastructure reuse across multiple domains; it is not confirmed whether it is operated by a single actor or distributed as a shared kit/PhaaS.
- 1Password is aware of the campaign and has monitored domains and pursued takedowns of lookalike sites.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Techniques & procedures
6 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniques
Initial Access
Stealth
2 techniques
Stealth
Credential Access
1 technique
Credential Access
Discovery
2 techniques
Discovery
Recent activity
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Phishing kit used to target 1Password users, with capabilities including one-time password (OTP) harvesting to defeat MFA.
A multi-stage phishing kit that evolved from credential harvesting to include pre-phishing fingerprinting/validation, bot filtering via browser fingerprinting, and harvesting of secondary authentication material such as OTPs and recovery codes (notably targeting 1Password users).
An evolving, operationally mature phishing kit targeting 1Password users. It implements staged credential harvesting (email/secret key/password), adds MFA/OTP capture (and in later versions recovery code capture), and includes anti-analysis/anti-bot measures such as browser fingerprinting, automation-tool detection, Cloudflare challenges, and traffic filtering/cloaking via HideClick. Later versions introduce session management and a REST-style API backend to manage multi-step victim flows and gating/validation decisions.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.