A finance analyst opens an email from her company's IT team late on a Tuesday. Her Microsoft 365 password expires in two hours, the message says, and a link will keep her access live. Her browser loads the exact sign-in screen she uses every morning, down to the company logo and the custom login banner. She enters her username and password, the page pauses for a second, and she lands on her real inbox as if nothing happened.
Nothing felt wrong because nothing looked wrong. Attackers registered the domain that morning. They built a pixel-perfect clone of her own company's sign-in page. Behind it, a relay passed her password and her one-time code straight to an attacker who was already logging in as her. Credential-harvesting campaigns target the login reflex: the familiar moment when an employee sees a trusted sign-in page and enters credentials without checking the domain.
Human behavior remains a breach driver: 60% of analyzed breaches in 2025 involved a human element, roughly the same share as the prior year.
Key Takeaways
- Credential harvesting steals valid login data by getting users to enter credentials into attacker-controlled sign-in pages that imitate trusted services.
- Adversary-in-the-middle (AiTM) proxies can relay passwords and MFA challenges in real time, then capture session tokens that represent completed logins.
- Standard controls cover only parts of the attack while leaving the login reflex exposed.
- Effective defense requires realistic simulations, multi-channel coverage, and training refreshed from live threat activity.
What Is Credential Harvesting?
Credential harvesting is the theft of valid login data by getting a user to type it into attacker-controlled infrastructure built to imitate a service they already trust. It succeeds without malware, and AiTM techniques can intercept MFA tokens and session cookies meant to protect the login.
Harvested Logins Give Attackers Working Access
Once an attacker holds a valid username, password, and session token, they authenticate as the user and blend into normal activity. Security logs can resemble legitimate user activity, and intrusion alarms can lack a clear trigger.
In an AiTM attack, the phishing page sits between the victim and the real identity provider, relaying every input in real time. The victim completes the MFA challenge, the legitimate service issues a session token, and the proxy intercepts it. A stolen session token bypasses MFA entirely because it represents an already authenticated session: from the application's perspective, the attacker is presenting the result of a completed login.
Employees Enter Credentials on Familiar Sign-In Pages by Reflex
Employees repeat logins throughout the workday, and attackers exploit that repetition. When an employee sees their company's branded sign-in screen, the familiar workflow draws attention away from URL inspection. They type their password because they have typed it on that screen a thousand times before.
That reflex makes credential harvesting durable, and AI is widening the gap. AI-automated phishing emails achieved click-through rates of 54%, compared to 12% for standard phishing attempts, a 4.5x increase that shows how AI changes phishing efficacy.
How a Credential Harvesting Attack Unfolds
Attackers choose a trusted login to imitate, clone the sign-in page, route targets to it, create urgency, and use the captured login for access. Each stage builds the conditions for the next.
Stage 1: Reconnaissance, Attackers Pick a Trusted Login to Imitate and Profile Its Users
Attackers begin by choosing which trusted login to clone and learning who uses it. They gather employee names and email addresses from public sources, then craft pretexts that fit the target. Others send rapport-building messages first and escalate to credential-stealing links only after they have built trust.
Stage 2: Weaponization, Attackers Clone the Sign-In Page and Wire It for Live Credential Capture
The reconnaissance feeds the infrastructure attackers build to impersonate the chosen service. For credential harvesting, the weaponized payload is a cloned or proxied sign-in page. AiTM phishing kits deploy a reverse-proxy server between the target and the real login page, relaying authentication traffic in real time and capturing the post-MFA session token.
These kits are now part of the phishing-as-a-service economy, available off the shelf, and landing pages routinely mimic the federated identity provider of the targeted organization or masquerade as DocuSign or password resets.
Stage 3: Delivery, Lures Push Targets to the Fake Page Across Email, SMS, Ads, and QR Codes
With the cloned page live, attackers drive targets to it across far more channels than email alone. They route victims through redirect chains, CAPTCHA pages that add a sense of legitimacy, and URL shorteners before landing them on the fake sign-in. QR code phishing embeds malicious URLs inside images, and conventional email scanners do not always catch them.
Smishing waves, malicious paid ads, and lures inside Telegram, WhatsApp, and Microsoft Teams all flow around enterprise email filtering. Voice-driven delivery has surfaced in major incidents, with attackers calling employees and directing them to fake login portals running AiTM toolkits.
Stage 4: Persuasion, Familiar Branding and Manufactured Urgency Get the User to Sign In
Attackers pose as a trusted source and send urgent messages: a password expiring in two hours, a salary change requiring confirmation, an unusual login that needs verification. Spoofed-domain campaigns can make messages appear to come from a trusted sender, and CAPTCHA gates and brand-accurate pages reinforce the impression that the workflow is routine.
By the time the user reaches the password field, the experience matches their daily login closely enough that hesitation never registers.
Stage 5: Execution, Captured Logins Turn Into Account Takeover, Fraud, and Lateral Movement
Captured logins quickly become working access, the entry point for account takeover. Attackers replay stolen session cookies to reach cloud email, file-sharing environments, and federated SaaS applications without re-authenticating. They establish persistence through inbox rules or alternate authentication paths, then manipulate finance-related email threads to redirect payments in business email compromise schemes.
From there, a stolen session in a SaaS environment can become access to many interconnected systems. Resetting the user's password is not enough. Security teams must also revoke the session cookie, or the door stays open.
Why Standard Defenses Miss Credential Harvesting
Credential harvesting slips past the controls most teams trust to stop it. Standard defenses cover parts of the attack while leaving the moment of login exposed.
Email Filters Miss the Lures That Arrive on Other Channels
Email gateways inspect the delivery layer, but credential theft happens at the authentication layer. The AiTM proxy session gives scanners little malicious payload to catch, and security logs can show a normal login while the attacker intercepts the session. The gap widens when the lure reaches the employee outside email.
Smishing, malicious ads, QR codes embedded in documents, and messaging-app lures bypass enterprise email filtering entirely, and organizations still skew investment heavily toward email security while underfunding mobile and messaging channels.
Multi-Factor Authentication Gets Relayed in Real Time
MFA methods provide different levels of protection, and attackers can phish the most common forms. App-based one-time codes and push notifications transmit shared secrets that an attacker can capture: an attacker who can convince a user to type a password can also convince them to type a six-digit code or tap approve.
Under AiTM, even a user who completes MFA correctly passes the authenticated session straight through the attacker's proxy. The proxy captures the token after the MFA step, and the attacker ends up authenticated as the user regardless of the sign-in method. Phishing-resistant methods like FIDO/WebAuthn tie authenticator output to the specific relying-party domain, which can defeat the relay at the protocol level.
Many organizations still need to migrate toward them.
Annual Awareness Training Leaves the Login Reflex Intact
Annual awareness training changes behavior measurably, but a once-a-year lesson cannot keep pace with attacks that shift weekly. A trained employee who spots a phishing simulation in a workshop still faces a live exploitation window when an AiTM campaign relays the session in real time.
A year-round continuous awareness program delivered through multiple formats, paired with authentication protocols strong enough to defeat the relay itself, closes the gap.
How to Stop Credential Harvesting
Stopping credential harvesting means conditioning the workforce against the lures attackers are actually running. Simulations need to trigger the real login reflex, coverage has to span the channels where lures arrive, and training has to refresh from live threat activity so it reflects the attacks landing this week.
1. Build Simulations From Real Credential-Harvesting Lures
Realistic phishing simulations should reflect the context attackers exploit, including vendor relationships and the branded login experience employees see every day. Relevance makes the simulated lure harder to dismiss as a compliance exercise when it resembles the pressure, branding, and workflow of a real attack.
2. Cover Every Channel a Credential Lure Arrives On
Phishing, smishing, and vishing are increasingly one blended problem, with attackers using email, messaging, and voice in quick sequence. A program that tests only email templates prepares people for a fraction of what they will face. In practice, role-based coverage means tailoring scenarios to the workflows each team is most likely to encounter: finance teams may need business email compromise scenarios, executives may need vishing and deepfake simulations, and helpdesk staff may need credential-reset scenarios.
A useful behavioral outcome to condition across all of them is out-of-band verification: an unusual request should be confirmed through a separate, known channel before anyone acts on it.
3. Refresh Training From Live Threat Activity
Attackers keep changing their lures and channels, and AI can accelerate social engineering during early phases of the attack lifecycle. Training that reflects last year's tactics leaves employees rehearsing for attacks that have moved on.
Programs should rotate simulation content from current threat intelligence and reflect the techniques landing now, including AiTM credential-harvesting workflows and deepfake vishing. Continuous reinforcement converts a click reflex into a reporting reflex.
How Doppel Defends Against Credential Harvesting
Doppel is the AI-native Social Engineering Defense (SED) platform that unifies Digital Risk Protection and Human Risk Management, and it closes the exact gap credential harvesting exploits: the moment a convincing fake sign-in page meets an employee acting on reflex.
The platform treats a spoofed page or smishing lure alongside employee submissions as one campaign, correlates the activity, routes confirmed malicious assets to automated takedown workflows, and converts the same lures into safe employee simulations across email, SMS, voice, collaboration, and messaging channels.
The takedown response reaches beyond the asset that triggered the alert. The Threat Graph maps the connected infrastructure behind a spoofed login page, including the lookalike domain, the AiTM relay's hosting, the SMS sending numbers, and the malicious ads pointing at the same landing pattern.
The platform then submits the campaign for takedown in a single action across registrars, hosts, social platforms, ad networks, and telco providers. Telco coverage matters here because the smishing leg of a credential-harvesting campaign often survives a domain takedown, letting attackers keep operating from the same infrastructure.
Dismantling the connected campaign at once raises the cost of rebuilding above what the next victim is worth.
When the Doppel Threat Graph detects a real credential-harvesting threat targeting a brand, such as a spoofed login page or malicious ad, that detection can become an employee simulation in one click. The platform clones and defangs the lure's copy and landing-page pattern for safe internal use, so employees train against the actual attack running against their organization.
Vibe Phishing extends this further: paste a company's internal branded login URL and the platform clones that exact experience to produce a simulation that mirrors the sign-in employees use every morning.
The same loop measures resilience. Risk Modeling scores who submits credentials under pressure and tracks data submission rates across email, SMS, voice, and collaboration channels rather than email alone. It then routes those employees into Security Awareness Training tied to the specific behavior they exhibited.
An employee who submits credentials on a voice call gets different reinforcement than one who clicks a follow-up SMS link. Running DRP and HRM on one intelligence layer means each confirmed external detection sharpens internal conditioning, and each internal result gives security teams a clearer view of human risk.
The same shift shows up in platform telemetry. By April 2026, email had emerged as a leading source of attacker activity against financial services and fintech brands, alongside continued activity across social and messaging platforms. That points to multi-channel campaign design. Defending against it means conditioning people on every surface the campaign uses, across email, social, messaging, and related channels.
Turn the Login Reflex Into a Defense
The teams that get ahead of credential harvesting rehearse the login reflex against the real lures aimed at their people, often enough and recently enough that the next pixel-perfect sign-in page meets an employee who recognizes it for what it is. Detection that never reaches the workforce leaves the reflex untouched, and a reflex left untouched is the attacker's surest entry point.
The platform can convert live attack lures into safe employee-training simulations that condition your people against similar attacks. That helps make the brand too costly to attack because the campaign's best weapon meets a workforce that has already seen it. Request a demo to see the closed-loop run against the lures targeting your organization.