.png)
Credential harvesting collects passwords, hashes, and session tokens via infostealers, phishing, and AiTM tooling. The connective tissue of modern compromise.
How Credential Harvesting Works
Credential harvesting is rarely a single technique. It is a category that includes any operation an attacker uses to collect authentication material — passwords, hashes, tokens, session cookies, certificates, API keys — from compromised systems, intercepted communications, or social-engineering targets. The category matters because every modern attack at scale depends on credentials at some stage. Stolen credentials are how attackers move from initial access to lateral movement, from one tenant to another, from corporate environments into the cloud services those environments depend on.
Endpoint Credential Theft
The most prolific credential harvesting category extracts credentials from compromised endpoints. The dominant tool family — Mimikatz, Rubeus, LaZagne, SharpHound — reads credentials from process memory (LSASS on Windows), credential storage (Windows DPAPI, macOS Keychain, Linux GNOME Keyring), and configuration files. Modern attacker tooling extracts not just passwords but also Kerberos tickets, NTLM hashes, browser-stored credentials, SSH keys, AWS access keys, kubeconfig files, and any other authentication material that an authenticated user's session has access to.
The 2024-2025 infostealer family expansion — LummaC2, RedLine, Vidar, StealC, Atomic Stealer — commoditized endpoint credential theft as a service. Initial-access brokers operate businesses entirely around the sale of credentials harvested from compromised endpoints, with pricing tiers by sector (financial services credentials at $500-$5,000 per set, healthcare and government targeted higher, generic consumer credentials sold in bulk at fractions of a cent each).
Phishing and Adversary-in-the-Middle
The second major harvesting category is real-time credential capture through phishing and adversary-in-the-middle (AiTM) infrastructure. The 2022-2026 evolution of phishing tooling — Evilginx, Modlishka, Muraena — captures not just passwords but the live session token returned after MFA succeeds, bypassing MFA as a defensive layer. The user enters credentials and approves MFA on what appears to be the legitimate site; the AiTM tooling captures the resulting session cookie and replays it from the attacker's infrastructure. The user sees a normal login flow; the attacker has the session.
Cloud Token and OAuth Theft
The third category targets cloud session tokens and OAuth grants — the post-authentication credentials that govern access to SaaS applications. The 2024 Storm-0558 Microsoft token theft incident, the 2025 Snowflake customer breaches via stolen credentials, and the broader pattern of OAuth grant abuse all reflect this category. Once an attacker has a valid cloud session token, they have an authenticated session against the target SaaS or cloud provider without requiring the original password, MFA, or any further interaction with the legitimate user.
Why Credential Harvesting Is the Linchpin of Modern Compromise
The Initial-Access-Broker Economy
Stolen credentials are the trade good of the cybercriminal economy. Initial-access brokers operate as the wholesale layer between technical operators (who harvest credentials at scale through phishing kits and infostealers) and ransomware affiliates or other attack groups (who buy access matching their target profile). The Conti, LockBit, and ALPHV/BlackCat ransomware groups all maintained substantial purchasing operations for initial access — credentials and remote-access capability for organizations matching their preferred targets. The economic structure makes credential harvesting durable: there is always demand at the wholesale level even when individual harvested credentials have short useful lives.
The Single Compromise Cascade
One harvested credential can produce cascading compromise. An employee's password reused across LinkedIn (breached in 2012, surfaced publicly in 2016) and a corporate VPN with weak MFA is exposed continuously across the entire interval. An infostealer that captures an employee's browser-stored credentials harvests, on average, dozens of cached passwords — personal email, banking, social media, plus any corporate systems the employee accessed through the browser. The cascade is the economic core of credential harvesting's value: a single endpoint compromise typically yields not one credential but a portfolio.
The MFA Bypass Question
MFA's defensive value against credential harvesting is real but partial. Phishing-resistant MFA (FIDO2 hardware keys, passkeys) defends against AiTM phishing because the cryptographic challenge cannot be replayed against a different domain. Push-notification MFA and SMS-based MFA do not provide this protection — AiTM tooling can replay them in real-time as the legitimate user approves the prompt. The migration from older MFA forms to phishing-resistant authentication is the single largest defensive improvement available against current credential harvesting tooling.
How to Defend Against Credential Harvesting
Phishing-Resistant MFA
Hardware security keys (YubiKey, Google Titan, Feitian) and platform passkeys (Apple, Google, Microsoft) provide cryptographic phishing resistance that defeats AiTM tooling. For administrative accounts, executive accounts, and high-value workforce roles, phishing-resistant MFA should be mandatory. The procurement and rollout effort is non-trivial but the defensive return is substantial — most current AiTM tooling cannot bypass FIDO2 authentication.
Endpoint Detection of Credential Theft Patterns
Modern EDR platforms include specific detection logic for credential theft — LSASS memory access patterns, Mimikatz-family tool execution, DCSync from non-DC accounts, suspicious browser credential vault access. The detection rules require proper EDR configuration and tuning to avoid false positives on legitimate administrative tooling, but the capability exists in mainstream EDR platforms (Microsoft Defender, CrowdStrike Falcon, SentinelOne).
Conditional Access and Session Risk
Microsoft Entra Conditional Access policies, Okta's adaptive authentication, and similar platforms can require additional authentication when sessions exhibit risk signals — impossible travel between geographic locations, sign-in from unusual networks or devices, sign-in immediately following a password change. These risk-based authentication patterns surface session-token replay attempts that pure password-and-MFA enforcement does not catch.
Password Manager Enforcement
Enterprise password managers (1Password Business, Bitwarden, Dashlane) eliminate password reuse, generate high-entropy unique credentials per service, and centralize the credential vault behind a single hardened authentication point. Mandating password manager use — not just permitting it — and disabling browser-native credential storage is the appropriate baseline.
Related Reading
Typical price per harvested credential set sold by initial-access brokers, with sector-specific pricing for financial services and healthcare credentials.
How Cloudskope Can Help
Cloudskope's Identity and Access Risk Management practice includes credential exposure assessment across workforce accounts — dark web monitoring integration, MFA posture audit, conditional access policy review, and identification of administrative accounts where phishing-resistant MFA enforcement should be the standard. For organizations recovering from infostealer compromise, our incident response engagements include credential rotation prioritization and the post-incident hygiene work that prevents the same harvested credentials from being used against the organization indefinitely.