Credential harvesting

The capture stage of a phishing attack — a fake login page that records whatever the victim types.

Credential harvesting is what happens after you click. The attacker hosts a clone of a login page (Microsoft 365, Okta, your bank), captures the username and password, and either forwards them or uses them immediately.

Modern harvesters proxy in real time — they pass your credentials and MFA token to the real service so you log in successfully and don't notice anything wrong, while the attacker hijacks the session.

Defenses that survive credential harvesting: hardware security keys (FIDO2/WebAuthn), passkeys, and conditional access policies tied to device posture.

Related terms

Phishing

Fraudulent attempt to steal credentials or money by impersonating a trusted entity, usually via email or a fake website.

Adversary-in-the-Middle (AiTM)

A modern phishing kit that proxies traffic in real time between victim and the real service — defeating MFA.

Got a URL you're unsure about?

Paste it into our free scanner — verdict in seconds, 10+ threat-intel sources.

Scan a URL →