In plain English
Credential harvesting is how attackers collect passwords at scale. Whether through a convincing fake login page, a keylogger installed via malware, or purchasing a dump from a previous data breach, attackers collect credentials and try them against corporate systems — often months or years after the original breach.
Full definition
Attackers collect credentials in a few ways. sites clone a login page, capture what the user types, and redirect them to the real service so nothing looks wrong. Keyloggers record every keystroke. Data dumps from past breaches get sold on dark web markets for a few hundred dollars and run against corporate login portals in automated campaigns. The original breach might have happened years ago at a completely unrelated service. The password gets reused, and that is the problem.
Credential stuffing is exactly this: taking a list of email and password pairs from one breach and testing them against other services at scale. An Australian business whose finance manager uses the same password for their banking login and their Microsoft 365 account is exposed to every breach that ever captured that password, regardless of where it came from.
stops most credential-based attacks outright. If an attacker has a valid username and password but cannot pass the second factor, they cannot log in. 's can also flag impossible-travel events, where a login appears from Sydney and then, three minutes later, from Eastern Europe. IronSights monitors for these signals as part of Fortify, and credentials found in known breach databases can be checked against your tenant using Microsoft's leaked credential detection.
