Credential Harvesting Attack Technique — Theft of Authentication Credentials
Technical explanation of credential harvesting, an attack technique used by threat actors to steal authentication credentials and gain unauthorized access to systems and networks.
Credential harvesting is an attack technique used by threat actors to obtain authentication credentials such as usernames, passwords, and session tokens. By acquiring valid credentials, attackers can access systems and services while appearing to be legitimate users.
Because many security systems rely on authentication to control access, stolen credentials can allow attackers to bypass traditional defensive controls and move through enterprise environments without immediately triggering security alerts.
Credential harvesting is commonly used as an initial access technique in intrusion campaigns and ransomware operations.
Technique Overview
| Field | Value |
|---|---|
| Technique | Credential Harvesting |
| Category | Credential Theft |
| Primary Purpose | Unauthorized Access |
| Common Targets | User authentication systems |
| Typical Outcome | Account compromise |
How Credential Harvesting Works
Credential harvesting campaigns typically attempt to trick users into revealing authentication information or capture credentials directly from compromised systems.
Attackers may use techniques such as:
- redirecting victims to fraudulent login portals
- capturing credentials through phishing campaigns
- extracting stored credentials from infected systems
- intercepting authentication tokens or session information
Once credentials are obtained, attackers can attempt to log in to enterprise systems and expand their access across the network.
Credential harvesting is frequently combined with social engineering attacks such as Phishing.
Common Credential Harvesting Methods
Threat actors use multiple techniques to collect authentication credentials.
Common methods include:
- fake login portals designed to mimic legitimate authentication systems
- malicious email campaigns directing victims to credential capture pages
- malware designed to extract stored credentials from infected systems
- session token theft allowing attackers to hijack active sessions
Credential harvesting techniques are commonly observed in intrusion campaigns attributed to groups such as Scattered Spider and financially motivated cybercrime operations.
Detection Considerations
Security teams monitoring authentication systems should watch for patterns that may indicate credential harvesting activity.
Indicators may include:
- repeated authentication attempts from unusual locations
- unexpected login activity across multiple systems
- suspicious access to authentication infrastructure
- unusual account behavior following credential use
Monitoring tools such as Security Information and Event Management systems and endpoint monitoring technologies such as Endpoint Detection and Response can assist with identifying suspicious authentication activity.
Mitigation Strategies
Organizations can reduce exposure to credential harvesting attacks by implementing multiple defensive controls.
Recommended practices include:
- enforcing multi-factor authentication for sensitive systems
- monitoring authentication logs for suspicious activity
- restricting access to authentication infrastructure
- educating employees about social engineering attacks
- implementing phishing detection mechanisms
These measures help reduce the likelihood that stolen credentials will lead to unauthorized access.
Security Implications
Credential harvesting represents a major security risk because attackers who obtain valid credentials can often access systems without triggering immediate security alerts. Once inside an environment, attackers may conduct further reconnaissance, escalate privileges, or deploy additional attack techniques.
Understanding how credential harvesting works helps organizations detect suspicious authentication activity and strengthen defenses against account compromise.