1Password introduced a new phishing protection capability aimed at stopping users from entering credentials into fraudulent lookalike sites, particularly when users bypass autofill and instead copy/paste passwords. The feature checks whether the site a user is interacting with matches the saved login’s expected URL; if it does not, 1Password can warn the user before credentials are submitted, adding deliberate friction to reduce “momentary lapse” credential theft.
Reporting highlights that phishing kits and AI-assisted site creation are making realistic fake login pages easier to produce at scale, increasing the likelihood of users being tricked into credential entry. 1Password’s approach is to detect URL mismatches (e.g., typosquatted domains) and present an explicit warning/confirmation step when a user attempts to paste credentials into a site that doesn’t align with the vault record; pairing this with multi-factor authentication (MFA) is recommended to further reduce account takeover risk.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
2 events from the most recent confirmed update back to the earliest known activity.
1Password said the protection is planned to be enabled by default for individual and family users when released. For enterprise environments, administrators must turn it on through the Authentication Policy in the 1Password management console.
1Password announced a new security layer that checks whether a website’s URL matches the saved login record before allowing autofill or credential pasting. If the domain does not match, the product blocks autofill and shows a warning requiring explicit user confirmation before credentials can be pasted.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
2 references tracked. Mallory keeps watching after this page renders.
zdnet.com
Open sourcesecurityonline.info
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.