Credential Harvesting

Credential harvesting is an attack technique in which threat actors collect valid authentication credentials — usernames, passwords, session tokens, or multi-factor authentication codes — from victims without their knowledge. The goal is to gain unauthorized access to accounts, systems, or networks using stolen credentials rather than exploiting technical vulnerabilities.

Stolen credentials are the most common initial access vector in data breaches. Valid credentials bypass perimeter defenses entirely, allow attackers to blend in with normal user activity, and often grant lateral movement opportunities across cloud services, VPNs, and internal systems. Credential harvesting is the foundation of account takeover (ATO), BEC fraud, and ransomware deployment campaigns.

The most prevalent method is the fake login page: a phishing email directs the victim to a cloned replica of a legitimate service (Microsoft 365, Google Workspace, a banking portal) where their credentials are captured and forwarded to the attacker. Other methods include keylogger malware installed on the endpoint, adversary-in-the-middle (AiTM) proxies that relay and intercept real authentication sessions to capture MFA tokens, and infostealers that extract saved credentials from browsers and password managers. Attackers frequently use URL redirect chains and link shorteners to obscure the final destination.