A fake login page shown after a user connects to a network, designed to collect usernames, passwords, or other account data. Unlike a normal portal, it is operated by an attacker and uses the user’s expectation of routine access to disguise credential theft.
Expanded Definition
Captive portal phishing is a credential theft technique that imitates the login prompt users expect after joining a network, especially public Wi Fi or guest access. The attacker relies on routine behaviour, not technical sophistication, to make the page feel normal enough to trigger trust and submission. In NHI security terms, the danger extends beyond human usernames and passwords because the same trick can be used to capture session tokens, SSO cookies, device enrollment data, or admin credentials that later unlock service consoles and automation tooling. That makes it relevant to broader identity governance, not just endpoint awareness.
Definitions vary across vendors on whether the term includes malicious portals that merely redirect to a phishing page or only those that fully mimic a real captive gateway. What matters operationally is the user expectation gap: the victim believes network access depends on authentication, so the fake page feels legitimate. Guidance in the NIST Cybersecurity Framework 2.0 supports treating this as an access and awareness problem, while the phishing lure itself often sits outside traditional perimeter controls. The most common misapplication is calling any browser login prompt “captive portal phishing,” which occurs when the page is not tied to a network join flow or uses a generic web login instead.
Examples and Use Cases
Implementing defences against captive portal phishing rigorously often introduces friction for legitimate guest access, requiring organisations to weigh convenience and onboarding speed against stronger authentication and clearer user verification.
- A traveler joins airport Wi Fi, sees a cloned branded portal, and enters corporate SSO credentials that are later reused against mail, VPN, or admin tools.
- An attacker sets up a rogue access point in a conference venue and serves a fake “sign in to continue” page that captures MFA recovery codes or password reset answers.
- A managed laptop auto-connects to a lookalike guest network, and the resulting page requests device registration data that can help with later impersonation or bypass attempts.
- A mobile workforce is redirected from a legitimate hotspot to a phishing portal that asks them to re-authenticate, creating a path to steal cloud access tokens and service account secrets.
- Campaign analysis tied to the Microsoft Midnight Blizzard breach shows how trusted login flows can be abused when users are conditioned to approve routine sign-in prompts.
For broader identity context, the Ultimate Guide to Non-Human Identities is useful because phishing often becomes a gateway to the secrets that power automation, not only the human account used first. The pattern also appears in credential harvesting tradecraft described by CISA guidance on phishing, where deceptive trust cues are central to compromise.
Why It Matters in NHI Security
Captive portal phishing matters because the initial stolen credential is often only the first step in a wider compromise chain. Once attackers obtain a human identity, they frequently pivot into NHI assets such as API keys, service account passwords, device trust tokens, or admin consoles used to issue and rotate secrets. That is why identity governance teams should treat the attack as a downstream risk to workload access, secret hygiene, and privileged automation, not just user awareness. It also undermines Zero Trust assumptions when a login prompt is accepted based on appearance rather than verified origin.
NHIMG research shows that 79% of organisations have experienced secrets leaks, with 77% of those incidents resulting in tangible damage, a reminder that one deceptive portal can become a pathway into much broader exposure. The issue is especially severe when stolen credentials are reused to reach vaults, CI/CD systems, or cloud control planes, where compromise scales rapidly. The same broader pattern appears in Salt Typhoon US telecoms breach and CoPhish OAuth Token Theft via Copilot Studio, where trust abuse and token theft mattered as much as the initial lure. Organisations typically encounter captive portal phishing as a real business incident only after account misuse, at which point the term becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and OWASP Agentic AI Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST Zero Trust (SP 800-207) and NIST SP 800-63 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-02 | Captive portal phishing often targets secrets and token theft covered by improper secret management. |
| NIST CSF 2.0 | PR.AT | User awareness and adversary recognition are core defenses against phishing lures. |
| NIST Zero Trust (SP 800-207) | Zero Trust requires verified access decisions, not trust in the appearance of a portal. | |
| NIST SP 800-63 | IAL/AAL | Stolen credentials from phishing undermine identity assurance and authentication strength. |
| OWASP Agentic AI Top 10 | A01 | Credential capture can be used to hijack agents and delegated tool access. |
Limit agent and workflow permissions so stolen user credentials do not expose automation paths.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on July 14, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org