Credential harvesting is a cyberattack technique in which an attacker collects usernames, passwords, and other authentication data from victims. The harvested credentials are then used to gain unauthorized access to accounts, systems, and sensitive data.
What is Credential Harvesting?
Credential harvesting is a cyberattack technique in which an attacker collects usernames, passwords, and other authentication data from victims. The harvested credentials are then used to gain unauthorized access to accounts, systems, and sensitive data. It is the primary objective behind most phishing campaigns and one of the most common initial access methods in cyberattacks.
How Credential Harvesting Works
- Phishing emails that link to fake login pages mimicking trusted services (Microsoft 365, Google Workspace, banking portals)
- Man-in-the-middle proxy tools like Evilginx that intercept credentials and session tokens in real time
- Keyloggers and infostealer malware installed through malicious attachments
- Data breach databases where previously leaked credentials are reused across accounts
- Social engineering over phone or chat to trick employees into revealing passwords
Why Credential Harvesting is a Human Risk Problem
Every credential harvesting attack depends on a human making a mistake: clicking a link, entering a password on a spoofed page, or reusing a password across services. Technical controls like MFA reduce the impact, but attackers have adapted with real-time phishing proxies that capture session tokens alongside credentials. The only way to address the root cause is to reduce the likelihood that employees fall for the social engineering that enables credential theft in the first place.
Credential Harvesting vs. Credential Stuffing
| Technique | Method | Source |
|---|---|---|
| Credential Harvesting | Actively tricking users into revealing credentials | Phishing, fake login pages, social engineering |
| Credential Stuffing | Automated testing of leaked username/password pairs | Data breach databases, dark web marketplaces |
Frequently Asked Questions
How do attackers use fake login pages to harvest credentials?
Attackers send phishing emails linking to spoofed login pages that mimic trusted services like Microsoft 365 or Google Workspace. When users enter their credentials, the attacker captures both username and password before redirecting to the legitimate site so the user doesn't realize they were phished.
What is Evilginx and how does it defeat multi-factor authentication?
Evilginx is a real-time phishing proxy that captures both credentials and session tokens as users log in. Even if MFA is enabled, the attacker captures the valid session token and can use it immediately without needing to bypass MFA, making traditional MFA less effective against credential harvesting.
Why is password reuse so dangerous in credential harvesting attacks?
When attackers harvest credentials from a breach on one service, they test those credentials across multiple platforms (credential stuffing). If an employee reuses their password across work and personal accounts, compromising a personal account gives attackers access to corporate systems too.
How can organizations reduce credential harvesting attacks?
Implement email security that detects lookalike domains and spoofed login pages, require MFA on all accounts, deploy phishing simulations that test employees' ability to recognize fake login pages, and monitor the dark web for leaked credentials to alert employees if their accounts appear in breach databases.