Add a verification when identifying that a user types in a matching password on a site domain that is not known to the pass. Example:

User goes to a phishing site asking for a login and types their password -> Pass would see that password hash is the same as what it has in the password vault but domain does not match to any saved URLs -> prompt to verify the site is legit before logging in.