← Back to Attack Types

Credential Harvesting Attacks

Critical Threat Level

Phishing attacks using fake login pages to steal usernames, passwords, and authentication credentials

80%
Of data breaches involve stolen credentials
24B
Stolen credentials available on dark web
32%
Click rate on credential phishing emails

What is Credential Harvesting?

Credential harvesting is a phishing technique where attackers create fake login pages that mimic legitimate websites (Microsoft Office 365, Google Workspace, banking sites, etc.) to steal usernames and passwords when victims attempt to log in.

The attack typically begins with an email that creates urgency—account locked, security alert, password expiration—and includes a link to what appears to be the real login page. When victims enter their credentials, the information is captured by attackers and used for account takeover, data theft, or sold on the dark web.

How Credential Harvesting Works

Step 1: Phishing Email

Attacker sends email claiming: "Your password expires today", "Unusual sign-in activity detected", "Your account will be deleted", or "Important document requires login to view"

Step 2: Fake Login Page

Link leads to lookalike website (microsoftonline-login.com instead of microsoft.com, or accounts-google.com instead of google.com). Page looks identical to real login.

Step 3: Credential Capture

When victim enters username/password, credentials are sent to attacker's server. Victim may see error message or be redirected to real site, unaware credentials were stolen.

Step 4: Account Compromise

Attacker uses credentials immediately (before password reset) or sells them. Average time from harvest to use: 8 hours. MFA bypass attempted if enabled.

Real-World Example

Microsoft Office 365 Credential Phishing (Ongoing Campaign)

From: Microsoft Security <no-reply@microsoft-account-security[.]com>

Subject: Unusual sign-in activity detected

"We detected unusual sign-in activity on your Microsoft account. For your security, we've temporarily suspended your account. Click here to verify your identity and restore access: https://login-microsoftonline[.]com/verify"

Red Flags:

  • Domain is "microsoft-account-security[.]com" not "microsoft.com"
  • Link goes to "login-microsoftonline[.]com" not "login.microsoftonline.com"
  • Generic greeting (no personalization)
  • Creates panic and urgency
  • Asks you to click link instead of going to site directly

Detection Techniques

Email Red Flags

  • Generic greeting ("Dear User" instead of your name)
  • Urgency and threats (account suspension, deletion)
  • Sender domain doesn't match company (check after @)
  • Link URL doesn't match claimed destination (hover to preview)
  • Spelling/grammar errors in official-looking email

URL Red Flags

  • Lookalike domains: microsoftonline.com vs microsoftonline-login.com
  • Character substitution: go0gle.com (zero instead of o)
  • Extra words: accounts-google.com or secure-paypal-login.com
  • Different TLD: microsoft.net instead of microsoft.com
  • IP addresses instead of domain names
  • Shortened URLs (bit.ly, tinyurl) that hide destination

Use HeaderScope to Verify:

  • Check SPF/DKIM/DMARC authentication results
  • Verify sender domain matches claimed company
  • Review "Received" headers for suspicious origin servers
  • Look for authentication failures indicating spoofing

Prevention Strategies

1. Never Click Email Links for Login

  • Always navigate to websites directly by typing URL or using bookmarks
  • If email claims account issue, go to site independently to check
  • No legitimate service requires you to click email link to log in

2. Enable Multi-Factor Authentication (MFA)

  • Use authenticator app (Google Authenticator, Microsoft Authenticator)
  • Avoid SMS-based MFA (vulnerable to SIM swapping)
  • Use hardware security keys (YubiKey) for critical accounts
  • MFA blocks 99.9% of credential harvesting attacks even if password stolen

3. Use Password Manager

  • Password managers won't auto-fill on fake sites (they verify domain)
  • Unique passwords per site limit damage if one is compromised
  • Strong, random passwords harder to crack if database breached

4. Verify URL Before Entering Credentials

  • Check address bar for exact domain spelling
  • Look for HTTPS padlock (but note: fake sites can have HTTPS too)
  • Watch for login pages that arrive via redirects
  • Be suspicious of login pages with unusual URLs

5. Corporate Protections

  • Deploy email security gateway with URL rewriting/sandboxing
  • Implement SSO (Single Sign-On) to reduce password use
  • Use DNS filtering to block known phishing domains
  • Conduct phishing simulations to train employees
  • Monitor for credential exposure on dark web

If You Entered Credentials on a Fake Site

  1. Immediately change password on real site (go directly to official URL)
  2. Enable MFA if not already enabled
  3. Check account activity for unauthorized access or changes
  4. Change passwords on other accounts if you reused same password
  5. Run antivirus scan in case malware was also installed
  6. Monitor accounts for unauthorized activity (financial, email, social media)
  7. Report to IT/security team if corporate account compromised
  8. File report with FTC (identitytheft.gov) if personal information stolen

Verify Suspicious Emails with HeaderScope

Before clicking any link in an email requesting login, use HeaderScope to analyze the email headers and verify authentication results. Credential phishing emails typically fail SPF/DKIM checks.

Analyze Email Headers →