Top credential harvesting techniques

Phishing attacks

Phishing remains the most prevalent method for credential harvesting. Attackers craft convincing emails that appear to originate from legitimate sources such as banks, social media platforms, employers, or trusted services. These emails contain urgent messages designed to provoke anxiety or create a false sense of urgency: "Your account has been compromised," "Verify your identity immediately," or "Unusual login detected."

The emails contain links to fraudulent websites that closely mimic legitimate login pages. When victims enter their credentials on these fake sites, the information is immediately captured by the attackers. According to Security Magazine, healthcare and finance are the top targeted industries, likely due to the sensitive information those organizations hold. Healthcare data, bank account information and personally identifiable information (PII) are all desirable targets for threat actors looking for large ransomware payouts.

A research article titled "Threats Hidden in Office Network: Mechanism of Credential Harvesting for Lateral Movement" highlights that "malicious files are often sent as attachments in phishing emails." The research article identifies specific file types that can trigger automatic credential leaks, including "HTML files, PDF, Windows media player, Microsoft Office files." These files work by initiatively requesting "resources embedded in the Universal Naming Convention (UNC) path through the SMB protocol once the user opens the file," allowing attackers to capture authentication credentials without the victim's awareness.

Spear phishing

A more targeted approach, spear phishing involves personalized attacks directed at specific individuals or organizations. Attackers research their victims, gathering information from social media, corporate websites, and public records. This research enables them to create convincing messages that reference specific projects, colleagues, or organizational details.

In his article "Credential Harvesting: Understanding and Combating the Threat," Matt Rider notes that social media platforms such as LinkedIn are being targeted by cybercriminals looking to steal information. Additionally, there are cases of direct approaches being made to employees, who are offered money in return for their credentials or to approve an MFA request.

Malicious websites and fake login portals

Beyond email-based phishing, attackers create standalone fraudulent websites designed to harvest credentials. The U.S. Department of Health and Human Services Health Sector Cybersecurity Coordination Center (HC3) refers to these as pharming or watering hole attacks, webpages designed to look legitimate with username and password login prompts. When victims enter their credentials, they're often presented with a message that the site is temporarily down, while their credentials have been secretly recorded by the threat actor.

These might include fake login pages for popular services, counterfeit registration forms, or compromised legitimate websites that have been modified to capture login attempts. Some attackers even purchase domain names that closely resemble legitimate brands through typosquatting, registering domains like "amaz0n.com" or "g00gle.com" to catch users who make typing errors.

The research article reveals a vulnerability in how compressed files handle security markers. When malicious Office documents are compressed and then extracted, certain decompression methods fail to preserve security warnings. Specifically, the research article found that with popular extraction software like 7zip, "modes such as 'Extract All' were not secure which could cause the NTLM leak once the office file is opened." This bypasses Microsoft Office's Protected View security feature, allowing credential harvesting to occur silently when users open what appear to be legitimate documents.

QR code phishing

According to Security Magazine, there was a 331% increase in QR code active threat reports in 2023. These attacks exploit the convenience of QR codes by directing users to malicious websites that harvest credentials. QR codes at events, parking meters, or other locations with unclear destinations pose risks, especially when scanned on company devices.

MFA fatigue attacks

Rider explains the use of tactics such as Multi-Factor Authentication (MFA) fatigue means that "users can literally be pestered into handing over their login details." In these attacks, threat actors repeatedly trigger MFA notifications until frustrated users approve the request just to stop the barrage of alerts.

Keylogging and malware

More technically sophisticated approaches involve malware that records keystrokes or captures screenshots as users type their credentials. The New Jersey Cybersecurity & Communications Integration Cell (NJCCIC) notes that keylogging malware records users' keystrokes, including usernames and passwords. These keyloggers can be delivered through malicious email attachments, infected software downloads, or compromised websites. Once installed, they silently monitor user activity and transmit captured credentials back to the attackers.

Brute force attacks

According to the NJCCIC, brute force attacks use automation to identify the correct combination of usernames and commonly used passwords. In 2024, Cisco warned of brute-force password spray attacks related to reconnaissance efforts directed at remote access virtual private networks (VPNs) from Cisco and third-party providers connected to Cisco firewalls. Almost a month later, Cisco warned of large-scale, global credential brute-force attacks conducted against VPN, Secure Shell (SSH), and web application services across all geographical regions and industries. According to the NJCCIC, if attacks are successful, organizations may experience account lockouts, unauthorized network access, and denial of service.

Man-in-the-middle attacks

In these attacks, cybercriminals position themselves between a user and a legitimate service, intercepting communications as they pass through. The NJCCIC explains that in man-in-the-middle (MITM) attacks, threat actors intercept communications between two parties to capture login account credentials. According to HC3, these attacks capture user credentials while they are being transmitted for legitimate purposes as part of a valid login attempt. This can occur on compromised networks, particularly unsecured public Wi-Fi hotspots, where attackers can capture login credentials as they're transmitted.

Credential stuffing

Credential stuffing represents a particularly insidious technique that exploits password reuse. The HC3 report explains that when malicious actors obtain exposed credentials from data breaches, often posted publicly or bought and sold on the dark web, they use these same credentials in attempting to compromise other accounts associated with the same individual. The NJCCIC notes that in credential stuffing attacks, threat actors use credentials obtained in data breaches to access other accounts utilizing the same username/password combinations.

The NJCCIC emphasizes that although convenient to users, password reuse across multiple accounts is a risky behavior that can result in account compromises. This attack is predicated on the tendency of individuals to reuse the same passwords across many platforms due to the inability to memorize many different passwords.

As Rider notes, threat actors "use automation technologies to mount credential stuffing attacks, using stolen credentials against multiple services and accounts until they gain access." What makes this challenging is that "most traditional cybersecurity solutions can't detect or prevent the attacks...given they are using legitimate login details."

An example occurred earlier in 2024 with the Roku credential stuffing attacks. According to the NJCCIC, threat actors obtained credentials from third-party sources or the dark web and used them to access Roku accounts and purchase streaming subscriptions. Roku encountered a similar data breach the following month and enforced multi-factor authentication (MFA) for all Roku accounts, even those not impacted by the data breach.

Social engineering

Beyond technical attacks, HC3 notes that threat actors often use social manipulation techniques to convince unwitting individuals to reveal their credentials directly. Malicious actors frequently attempt to impersonate help desk employees or authority figures to conduct these social engineering attacks, exploiting trust and institutional authority.

NTLM authentication exploitation

The research article provides important technical insights into how enterprise authentication systems can be exploited for credential harvesting. NTLM (NT LAN Manager) authentication is "widely used not only for protocols such as SMB, LDAP, MSSQL, HTTP but also used for applications such as wi-fi or remote desktop connection." This adoption makes it an attractive target for attackers.

A vulnerability exists in how NTLM handles backward compatibility. The research article notes that even when the more secure NTLMv2 is available, "NTLMv2 by default falling back to NTLMv1 on the windows operating system." This means that if either the client or server insists on using the older, less secure NTLMv1 protocol, the system will automatically downgrade, potentially exposing credentials to easier cracking methods.

The research article also discovered that credential harvesting can bypass traditional network security measures. Specifically, "manipulating the UNC path into a URL with HTTP/HTTPS or LDAP protocol would also cause the NTLM leak." This is concerning because while many organizations block SMB traffic at their firewalls to prevent attacks, HTTP and LDAP traffic is typically allowed, providing attackers with alternative pathways to harvest credentials.

Perhaps most alarming is the research article's finding that these attacks can facilitate lateral movement within networks. The techniques described "could not only attack computers connect to the internet, but also could attack others that are not connecting to the internet" by redirecting malicious requests to already-compromised internal systems rather than external command-and-control servers.

FAQs

How can organizations detect credential harvesting activity early?

Monitor for abnormal authentication patterns (unusual geolocations, spikes in failed logins, high-velocity authentication attempts) and correlate with endpoint alerts and web logs.

What are the most effective incident-response first steps after credentials are suspected stolen?

Immediately isolate affected accounts, enforce password resets and MFA re-registration, collect relevant logs, and begin a containment-and-forensics workflow.

How should organizations prioritize which compromised accounts to remediate first?

Prioritize accounts with privileged access, service accounts, those tied to financial systems, and any accounts showing lateral movement indicators.

How effective are password managers in preventing credential reuse and stuffing?

Password managers reduce reuse-related risk by generating and storing unique complex passwords across services.

How can companies defend against QR-code phishing at public events?

Use printed QR code labels from trusted sources, educate users to preview URLs before visiting, and discourage scanning on unmanaged devices.