Block my.1passvvord.org

[jasongodev]

Phishing Domain/URL/IP(s):

my.1passvvord.org
1passvvord.org

Impersonated domain

1password.com

Describe the issue

A phishing email was received with a link to https://my.1passvvord.org/ which redirects to https://my.1passvvord.org/verify. Note the use of homoglyph attack in the word passvvord (use of double v instead of w).

Email Headers

Delivered-To: *****@*****.*****
Received: by 2002:a05:622a:4b11:b0:506:f976:af62 with SMTP id et17csp4151503qtb; Thu, 7 May 2026 21:56:04 -0700 (PDT)
X-Received: by 2002:a05:6a21:888d:b0:3a0:bc61:62e1 with SMTP id adf61e73a8af0-3aa5a9b0d0bmr9490002637.30.1778216164686; Thu, 07 May 2026 21:56:04 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1778216164; cv=none; d=google.com; s=arc-20240605; b=jan2VqbZyIrCQ5YvqtfYv6kr2xcT0lVcoW3UhqV1mzPdK+gI6/uzlfH6eXB8WQUfZz VZTgfCoA/EHv5ZWJDWrXCHF3G5AUvZzkW6BPhd5z5S3rQm0lScKqBJjTTDZ1oO7SVvcU MXQ6h1N/K01ltRvsfZdRCFmhd6MmnLYS5URImKc6SAk3JbcS+bkf73jLD/c2Tcr/sKgg 9VZ+igsiOJS4iz6BPNVoLclM1sE7FtM6gJB1FWca/7utPGuXDs7HKcpEKgShEZJsDIlB N/GtBuxC5gefUbccEAZXnMx3Q+qfugv2fIG1TocXCFVqrVCgv1s6ZfIwo0jwUcNxu74G udBQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=to:priority:list-unsubscribe-post:list-unsubscribe:importance :feedback-id:auto-submitted:subject:message-id:mime-version:from :date:content-transfer-encoding:dkim-signature; bh=9pcU18dEPq0t6OP5Dj4DGwRmIcDf2lNt5KnEWXqVTjE=; fh=A6ThtmARy/0gVbBcK9lUAkXjooUlqX0D/9fjNL0rEV8=; b=QcusqaDyfqfh3cp7H7bPFHzLuZ+kmyo7JE16Iug5tW8af6/YEdWHUa+Htt48boWhDo n58XZ57zbfkZk9soI39Z+kbQKQfZIYhsMInKpimxfdYfKsxHjkPB0NNMYE1s2wBMQzgV //en0ndVv8aKe3lZqZU1A3qt/lwO/05TWUz/vIDjl9/3gU4dBgYYPBRo3HttsfxGaooC DQ39b1LQ142PEAXfZVzjtIDAOPsQlFGj2CmacgqyUsW9LqdOlbRpkdRb4wfXe36cyJ6H 2zlILRMegLLgFceW2YQBe2+X82a+SoWEYUaW77S1pmRBjzJxLXLC9fhNv6Cuazt2ygWx J/JQ==; dara=google.com
ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@sendgrid.***** header.s=smtpapi header.b=zTDbsKDf; spf=pass (google.com: domain of bounces+8143485-278d-*****=*****.*****@sendgrid.***** designates 149.72.120.62 as permitted sender) smtp.mailfrom="bounces+8143485-278d-*****=*****.*****@sendgrid.*****"; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=autopl.*****.hn
Return-Path: <bounces+8143485-278d-*****=*****.*****@sendgrid.*****>
Received: from s.wrqvtvpz.outbound-mail.sendgrid.***** (s.wrqvtvpz.outbound-mail.sendgrid.*****. [149.72.120.62]) by mx.google.com with ESMTPS id 41be03b00d2f7-c82677563f6si1069515a12.230.2026.05.07.21.56.04 for <*****@*****.*****> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 07 May 2026 21:56:04 -0700 (PDT)
Received-SPF: pass (google.com: domain of bounces+8143485-278d-*****=*****.*****@sendgrid.***** designates 149.72.120.62 as permitted sender) client-ip=149.72.120.62;
Authentication-Results: mx.google.com; dkim=pass header.i=@sendgrid.***** header.s=smtpapi header.b=zTDbsKDf; spf=pass (google.com: domain of bounces+8143485-278d-*****=*****.*****@sendgrid.***** designates 149.72.120.62 as permitted sender) smtp.mailfrom="bounces+8143485-278d-*****=*****.*****@sendgrid.*****"; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=autopl.*****.hn
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sendgrid.*****; h=content-transfer-encoding:content-type:date:from:mime-version:subject: list-unsubscribe:list-unsubscribe-post:to:cc:content-type:date:from:subject:to; s=smtpapi; t=1778216162; bh=9pcU18dEPq0t6OP5Dj4DGwRmIcDf2lNt5KnEWXqVTjE=; b=zTDbsKDfdkzQZmhhOhfSylNW8KXGzeGqbgiHXHeQc4zZUIHkfxd192ngRay6GwSSbAks ii4wyFf2XVyxvpZpEJFMsj7ihq+Cek5r9wAGj0agieB9jArDAPPesZUJorMDvWQC0C23yc ajhgR8lwiTrIYOw7VJWgOgkuOON4x+hTU=
Received: by recvd-6575d5864f-zxsqq with SMTP id recvd-6575d5864f-zxsqq-1-69FD6CE2-1A 2026-05-08 04:56:02.47838956 +0000 UTC m=+803901.685830646
Received: from ODE0MzQ4NQ (unknown) by geopod-ismtpd-11 (SG) with HTTP id o60ATKqrRumHZlLAp7uaaA Fri, 08 May 2026 04:56:02.385 +0000 (UTC)
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html; charset=utf-8
Date: Fri, 08 May 2026 04:56:02 +0000 (UTC)
From: OnePassword Live <live@autopl.*****.hn>
Mime-Version: 1.0
Message-ID: <o60ATKqrRumHZlLAp7uaaA@geopod-ismtpd-11>
Subject: Critical Data Breach for *****@*****.*****
Auto-Submitted: auto-generated
Feedback-ID: transactional:onepassword live:autopl.*****.hn
Importance: normal
List-Unsubscribe: <mailto:unsubscribe@autopl.*****.hn>, <https://autopl.*****.hn/unsubscribe?email={EMAIL}>
List-Unsubscribe-Post: List-Unsubscribe=One-Click
Priority: normal
X-Auto-Response-Suppress: OOF, AutoReply
X-Entity-Type: transactional
X-Job: send-1778216161
X-Mailer: OnePassword Live-SPEngine/3.1.1 (Internal)
X-Message-Source: onepassword-live-system
X-SG-EID: =?us-ascii?Q?u001=2EoA3IWchkPdyasZLCE0q+Ih+YXjO6DbJWe0CJZaAP8T6eXqpqM6bgs+HP9?= =?us-ascii?Q?Ut=2FEJ1QTKBl=2FJBx63UBVjN+CUsQxjrnvW44=2FB9C?= =?us-ascii?Q?BZkWP2nJCsFS3vNE1+x9+iCwY196T46zh5wTeC+?= =?us-ascii?Q?QHhwxEc7Wn0JQIzR46JkTBxj8R5GJJTl6Kbg6Hx?= =?us-ascii?Q?54G8HiaIcH+J2q3isSdk8wlbJkG73icoPA11imZ?= =?us-ascii?Q?c7xRPAc9L8zlqVc8fbEXSJvgyPwAh0AQ5v3D6tb?= =?us-ascii?Q?Cwfx?=
To: *****@*****.*****
X-Entity-ID: u001.yKJoV9NFXzubrj8bh9quSQ==

Related external source

https://phishtank.org/phish_detail.php?phish_id=9419005
https://phishtank.org/phish_detail.php?phish_id=9419006