Please fill in the form below to subscribe to our blog

Categories

Tags

BullPhish ID cybersecurity Dark Web ID Email security Graphus incident response phishing ransomware Rocketcyber user protection Week In Breach

Credential Phishing: A Growing Threat to SaaS Security

March 06, 2025

If you think you understand phishing scams, think again. Phishing attacks are becoming more sophisticated and difficult to detect than ever before. “How?” you may ask. The answer is simple: cybercriminals never stop innovating. They constantly evolve their attack techniques, leveraging advanced technologies, such as Generative Artificial Intelligence (Gen AI) and subscription-based Phishing-as-a-Service (PhaaS) platforms, to breach even the strongest defense systems or trick your most vigilant employees.

As the adoption of cloud-based services continues to grow, Software-as-a-Service (SaaS) applications such as Microsoft 365 and Google Workspace have become prime targets for cybercriminals. One of the most prevalent and complex threats facing SaaS security today is credential phishing, which increased by over 700% in the second half of 2024.

In this article, we’ll explore credential phishing and its dangers as well as best practices for protecting your organization. We’ll also discuss how ID Agent’s advanced anti-phishing defense and dark web monitoring solutions can help strengthen your SaaS security.

What is credential phishing?

Credential phishing or credential harvesting is a type of phishing attack designed to steal login credentials by tricking users into revealing their account credentials, such as usernames and passwords. In such attacks, bad actors disguise themselves as reputable or trusted entities, such as SaaS providers, banks or IT administrators, to win victims’ trust and convince them to click on malicious links, enter credentials on fake login pages or download malware-infected attachments. Credential phishing is responsible for nearly 70% of all email-based cyberattacks.

Common credential phishing tactics used by cybercriminals

Attackers use a variety of techniques to manipulate unsuspecting victims into divulging their login credentials. Some of the commonly used methods include:

Deceptive emails and messages

Threat actors send highly convincing emails or messages that appear to come from legitimate sources, urging users to take immediate action. These emails are crafted to incite fear or create a sense of urgency with messaging such as, “Your account is about to expire” or “Suspicious login detected. Reset your password now.”

Fake login pages

Cybercriminals use fake websites with altered domain names that resemble trusted SaaS platforms, redirecting victims who click on malicious links to fake login pages. These sites capture login details when users attempt to sign in. In Q3 2024, Microsoft was the most impersonated brand, accounting for over 60% of phishing attempts using spoofed branding. Apple and Google followed, ranking second and third at 12% and 7% of phishing scams, respectively.

Credential harvesting and exploitation

Once users log in to fake sites, their credentials are stolen. Cybercriminals can use them to gain unauthorized access to an organization’s business applications, launch business email compromise (BEC) attacks or even sell the stolen login details on the dark web.

Credential stuffing attacks

Hackers use stolen credentials from previous data breaches to gain unauthorized access to user accounts. In cases where victims reuse passwords across multiple applications or services, threat actors can administer large-scale automated login attempts to compromise additional accounts.

The role of AI in phishing

As AI technology advances, cybercriminals are weaponizing it to amplify attacks. Since the launch of ChatGPT in November 2022, phishing emails have surged by an astonishing 1,265%. Today, AI-powered tools allow bad actors to operate more efficiently and effectively than ever before, making traditional security defenses harder to rely on.

Here’s how AI is making cybercrime more dangerous:

  • AI-powered threats autonomously adapt, evading detection and blocking efforts.
  • AI tools can mimic trusted individuals with near-perfect accuracy, making phishing attacks even more deceptive and dangerous.
  • With rapid data mining and analysis capabilities, thanks to AI, cybercriminals can now swiftly identify high-value targets and vulnerabilities.
  • AI-generated videos and audio enable convincing business scams (e.g., BEC fraud).
  • Cybercriminals are leveraging AI to develop stronger encryption, making it harder for authorities to track their activities.

Real-world examples of phishing attacks

Phishing and credential theft are among today’s most dangerous cyberthreats. Here are a few examples that serve as a stark reminder of the dangers that lurk in an increasingly digitized world.

The Change Healthcare cyberattack

In February 2024, Change Healthcare, one of the world’s largest health payment processors, fell victim to a devastating ransomware attack. ALPHV/BlackCat infiltrated the system using stolen credentials, which are believed to have been purchased on the dark web after a phishing attack. The perpetrators gained access to 4 terabytes of sensitive data and crippled healthcare operations across the U.S.

As a result of the incident, 190 million individuals’ private health information, including Social Security numbers and medical records, was compromised. Nationwide billing, insurance claims and pharmacy services were disrupted for weeks, severely impacting patient care and provider revenue. Despite paying a $22 million ransom, Change Healthcare wasn’t able to recover the stolen data.

Pepco Group loses €15.5 million in sophisticated phishing attack

In February 2024, Pepco Group, a leading European retailer, suffered a major phishing attack, resulting in a whopping €15.5 million (about $16.8 million) loss. Cybercriminals spoofed legitimate employee emails, deceiving finance staff into transferring funds to fraudulent accounts.

While details remain unclear, experts speculate the attack involved AI-enhanced business email compromise (BEC) techniques, making it nearly impossible for employees to detect the deception. Advanced phishing tactics like these are becoming a growing threat, with bad actors leveraging AI to craft highly convincing scams.

Although no customer, supplier or staff data was compromised, the financial loss highlights the urgent need for stronger anti-phishing solutions, security awareness training and multilayered defenses against evolving cyberthreats.

The dangers of credential phishing

Credential phishing allows threat actors to steal login credentials and gain unauthorized access to your organization’s critical systems. The consequences can be damaging, including massive financial losses, business disruptions and even regulatory penalties for non-compliance.

Compromised accounts and data breaches

Once cybercriminals gain access to SaaS admin or user accounts, they can exfiltrate sensitive business information, disrupt workflows and even distribute malware within your organization.

Business disruptions and financial losses

Credential phishing can bring critical business operations to a grinding halt, cause revenue loss and damage your organization’s reputation. Additionally, hackers can use stolen credentials to interfere with your cloud applications, lock users out of their systems or demand ransom.

Credential stuffing and dark web exposure

Cybercriminals often sell stolen credentials on dark web marketplaces, allowing other cybercriminal groups to exploit them in credential stuffing attacks — automated attempts to log into multiple accounts using the same credentials.

Regulatory and compliance risks

With industry regulations, such as the General Data Protection Regulation (GDPR), the Health Insurance Portability and Accountability Act (HIPAA), the California Consumer Privacy Act (CCPA) and Payment Card Industry Data Security Standards (PCI-DSS), becoming more stringent, a credential phishing breach could result in heavy fines, legal consequences and loss of customer trust.

Best practices to protect users and businesses from credential phishing

To stay ahead of sophisticated credential phishing attacks, your organization must implement strong security measures that go beyond basic password protection. Here are some best practices to consider to strengthen your defenses against credential phishing.

User awareness and training

Provide regular security awareness training to educate and equip your employees about the latest phishing trends. Train your users on how to recognize phishing attempts. Conduct simulated phishing tests to improve awareness and identify potential risk areas. Promote a “Think Before You Click” culture to minimize the risk of falling for phishing scams.

Multifactor authentication

Multifactor authentication (MFA)) is an essential security measure; however, MFA alone is no longer enough for today’s increasingly sophisticated phishing attacks. Cybercriminals have developed methods to bypass MFA using “token theft.”

Token theft, as the name suggests, allows attackers to steal session tokens, enabling them to bypass MFA and access accounts without needing the victim’s credentials again. This technique is often used in man-in-the-middle (MitM) attacks, malware infections and phishing campaigns.

To strengthen security, organizations should go beyond traditional MFA by implementing phishing-resistant authentication methods, such as hardware security keys, biometrics and continuous user verification to mitigate evolving threats.

Email security and anti-phishing solutions

Deploy powerful anti-phishing solutions like Graphus to block suspicious emails before they reach your employee inboxes. Look for advanced, AI-driven security solutions with machine learning (ML) capabilities that automatically detect suspicious patterns and continuously adapt to new threats.

Password hygiene and management

Poor password practices, such as easy-to-guess passwords, reusing passwords or using the same password across multiple accounts, remain one of the biggest security vulnerabilities for businesses.

Encourage your users to create long, complex passwords that combine uppercase and lowercase letters, numbers and special characters. Establish policies for periodic password updates.

Use dark web monitoring tools to identify leaked or exposed credentials and take immediate action to secure affected accounts.

Zero trust security approach

When it comes to cybersecurity, you must never assume trust but always verify. Implement role-based access controls (RBAC) to ensure users only have access to the data and systems necessary for their roles. Additionally, you must continuously monitor and verify user activities before granting access.

Strengthening protection with ID Agent’s anti-phishing defense & dark web monitoring

While best practices help mitigate risk, your organization needs advanced security solutions to stay ahead of phishing threats.

Graphus: AI-powered phishing protection for smarter security

Graphus is an advanced, AI-driven anti-phishing solution designed to safeguard employee inboxes from ransomware, BEC attacks and other cyberthreats with patented automation. Its EmployeeShield feature empowers employees to easily identify and report suspicious emails, block them as junk or mark them as safe with just one click.

With Graphus, your organization can automate phishing protection and secure every inbox —whether threats come from inside or outside your email platform. It protects your organization from a wide range of email-based attacks, including phishing, spear phishing, BEC, account takeover (ATO), identity spoofing, malware and ransomware.

Graphus seamlessly integrates with Microsoft 365 and Google Workspace via API — no complex configurations, no email rerouting. This frictionless setup instantly strengthens your organization’s security posture, providing robust defense against today’s most sophisticated cyberthreats.

“Using the Executive Spoofing feature, all I have to do is type in a name, or some variations of names, and Graphus will flag them as Executive Spoofing or even just outright block it, which actually has helped us avoid impersonation scams.” — Matt McDonnell, Director of Technology, Loyola School

Stay ahead of cybercriminals with Dark Web ID

With cyberthreats evolving rapidly, Dark Web ID ensures your organization stays ahead of potential breaches by proactively protecting your brand, employees and executives. This powerful solution leverages both human and AI-driven detection to provide 24/7 monitoring of business and personal credentials, including domains, IP addresses and emails.

Dark Web ID continuously scans dark web marketplaces and data dumps for compromised credentials, alerting you instantly so you can take swift action before cybercriminals exploit stolen data. It also provides invaluable data analytics that helps to identify security gaps, inform employee training needs and highlight where MFA and single sign-on (SSO) are warranted.

“When we deployed Dark Web ID, we found that there were hundreds, if not thousands, of our users’ credentials in data dumps, some dating back 10-15 years. So, we have strengthened our cybersecurity program through awareness training and a stronger password policy. We can confidently say that since we’ve structured that portion of our cybersecurity program, we have not noticed any new credentials being leaked.” — Gregory Jones, CISO, Xavier University of Louisiana

Credential phishing is an evolving and persistent threat to SaaS security. Don’t wait until it’s too late! Secure your SaaS environment with ID Agent’s advanced anti-phishing defense and dark web monitoring. Book a demo today!