A successful credential harvesting scam can have devastating consequences.

There is, of course, the fact that credentials have been compromised. That not only allows access to the site in question but also perhaps to even more sites. How many of us use the same credentials for multiple sites?

Another thing, though, is the multiplying effect of credential harvesting scams.

In this attack brief, researchers at Avanan, a Check Point Software company, will discuss how threat actors are compromising accounts, creating more users in an organization to send more attacks, and then auto-deleting emails to cover their tracks. 


In this attack, hackers are using stolen credentials to create more users to send credential harvesting emails from, and then auto-deleting to cover their tracks. 

  • Vector: Email
  • Type: Credential Harvesting
  • Techniques: Auto-Delete, Creating More Users
  • Target: Any end-user

Email Example #1


This is the start of the credential harvesting chain. The email says that there is a document for the end-user to view. The email comes from a standard O365 account. The form, however, is a link to a malicious site that steals their credentials. Once the credentials are stolen, the hackers have carte blanche access to the rest of the organization. 

Email Example #2:

In a worst case scenario, if the compromised user has admin permissions the attack can be devastating. From there, the hackers can go into the larger admin account and create more users. Notice that the only “real users” are the ones that say “Microsoft Business 365 Standard”. The names of the unlicensed users, not shown here for privacy, are taken from the real contact lists of the users, even if the email addresses themselves are dummy accounts. The hacker then sent out the first phishing email to over 4,000 addresses.


Email Example #3:


Finally, the hacker set emails to be auto-deleted from compromised accounts, so as to cover their tracks.



This email is particularly tricky. It requires a multi-step process on the part of the hackers. It starts with the original compromise. It then takes the next step of creating multiple email addresses based on the names of real contacts. From there, it sends out more phishing emails. In this case, it was sent to over 4,000 people. 

Finally, the hacker sets the compromised mailbox to auto-delete incoming emails, so the compromised user is none the wiser.

This tricky attack requires unparalled visibility into the company’s ecosystem to stop. It requires the ability to protect against internal attacks and to prevent malicious outbound emails from leaving the environment. Without that, it will be a successful attack. From the part of the end-user, it appears like a normal user from an email address they may recognize. To security admins, it can all be done without being made aware.

These tricky attacks, while time-consuming, are fairly easy for the hacker to execute. It then allows them to send out even more attacks at scale. From just one breach, the hacker can aim to breach 4,000 more. 

Best Practices: Guidance and Recommendations

To guard against these attacks, security professionals can do the following:

  • Always check URLs before clicking on them
  • Be sure to pay attention to grammar, spelling and factual inconsistencies within an email
  • If ever unsure about an email, ask the original sender