What is Credential Harvesting?

Credential harvesting is the process of collecting usernames and passwords through phishing pages, keyloggers, man-in-the-middle attacks, or database breaches for unauthorized access.

What is credential harvesting?

Credential harvesting is the collection of usernames, passwords, and authentication tokens through various attack techniques including phishing websites that mimic legitimate login pages, keyloggers capturing keystrokes, man-in-the-middle attacks intercepting credentials in transit, and exploitation of credential stores on compromised systems.

What are common credential harvesting techniques?

Common techniques include creating convincing phishing login pages for corporate SSO portals, deploying keyloggers through malware, intercepting credentials via rogue Wi-Fi access points, extracting stored credentials from browsers and password managers on compromised systems, scraping credentials from code repositories, and MITM attacks on authentication flows.

How do phishing-based credential harvesters work?

Attackers create replica login pages for services like Microsoft 365, Google Workspace, or corporate VPN portals. Victims are lured via phishing emails to these pages, which capture entered credentials and often relay them to the real service for transparent authentication, making the victim unaware their credentials were stolen.

What is an adversary-in-the-middle credential attack?

Adversary-in-the-middle (AitM) credential attacks use reverse proxy tools like Evilginx to sit between victims and legitimate services, capturing not just passwords but also session tokens and MFA codes in real-time. This technique bypasses most MFA implementations by stealing the authenticated session after MFA completion.

How do you defend against credential harvesting?

Defenses include deploying phishing-resistant MFA (FIDO2, hardware keys), implementing email filtering to block phishing, training users to recognize credential harvesting pages, deploying browser isolation for email links, using credential monitoring services that detect leaked passwords, and implementing conditional access policies for suspicious authentications.

What is phishing-resistant MFA?

Phishing-resistant MFA uses cryptographic methods (FIDO2/WebAuthn hardware keys or passkeys) that bind authentication to the legitimate domain, making credentials useless on phishing sites. Unlike SMS or TOTP codes that can be relayed by AitM attacks, phishing-resistant MFA prevents credential harvest even when users interact with fake login pages.

How does credential harvesting relate to penetration testing?

Penetration testers conduct controlled credential harvesting using phishing simulations with custom login pages to test email filtering, user awareness, and MFA enforcement. Results demonstrate real credential theft risk, measure which percentage of employees submit credentials to fake pages, and validate whether MFA prevents account compromise.

What should organizations do about harvested credentials?

Organizations should monitor breach databases and dark web marketplaces for leaked credentials, enforce password resets when credentials are detected in breaches, implement credential screening that blocks known-breached passwords, deploy MFA to reduce the impact of harvested credentials, and audit authentication logs for suspicious access using stolen credentials.