Credential phishing is a social engineering attack that tricks a person into handing over login secrets such as passwords or passcodes. In identity programmes, it matters because the stolen secret can be reused to impersonate the user, access applications, and bypass ordinary authentication controls.
Expanded Definition
Credential phishing is a deceptive capture of authentication secrets, but in NHI security it also matters because a stolen password, passcode, API key, or session token can become a reusable control bypass. That makes the term broader than ordinary end-user fraud: it includes lures sent by email, chat, code repositories, collaboration tools, and even fake login flows that collect secrets from operators, developers, or automation owners. In practice, the risk is not only the initial theft but the downstream reuse of that secret in scripts, CI/CD systems, cloud consoles, and delegated access paths.
Definitions vary across vendors on whether phishing must involve an interactive prompt or whether any social-engineered secret capture qualifies. NHI Management Group treats both as credential phishing when the attacker’s objective is unauthorized credential acquisition through deception. This aligns with the intent of OWASP Non-Human Identity Top 10 and the assurance model in NIST SP 800-63 Digital Identity Guidelines, where secret handling and authenticator strength determine whether impersonation becomes possible.
The most common misapplication is treating credential phishing as only a human-user problem, which occurs when teams ignore service accounts, developer tokens, and helpdesk workflows that expose secrets to the same lure techniques.
Examples and Use Cases
Implementing anti-phishing controls rigorously often introduces friction in login, support, and recovery workflows, requiring organisations to weigh faster access against stronger verification and secret handling.
- A developer receives a counterfeit cloud sign-in page and enters a long-lived API key, which is then used to impersonate an automation workflow.
- A finance operator approves a “re-authentication” request in a messaging app, exposing a passcode that an attacker reuses to access privileged SaaS tooling.
- A support engineer is redirected from a fake internal ticket link to a lookalike SSO portal, resulting in stolen credentials that unlock shared admin tooling.
- A CI/CD maintainer is tricked into pasting a token into a bogus secret-validation page, enabling lateral movement through build and deployment systems, a pattern discussed in the Guide to the Secret Sprawl Challenge.
- An attacker emails a contractor a “security verification” form that captures both password and MFA code, a tactic that becomes more dangerous when secrets are stored statically rather than rotated dynamically, as explained in Ultimate Guide to NHIs, Static vs Dynamic Secrets.
For implementation guidance, organisations can map these scenarios to phishing-resistant identity controls in the OWASP guidance and to authenticator assurance requirements in NIST, especially where secrets are still accepted as a fallback during recovery or operator support.
Why It Matters in NHI Security
Credential phishing is especially damaging in NHI environments because one captured secret can expose many non-human identities, not just one user. Shared tokens, embedded secrets, and automation credentials often sit outside the normal visibility of identity teams, so a single deception event can cascade into cloud compromise, source-code theft, or unauthorized pipeline execution. NHIMG research shows that 23.7% of organisations share secrets through insecure methods such as email or messaging applications, which expands the attack surface for phishing and impersonation.
This is why credential phishing is tightly connected to secret sprawl, static credentials, and weak recovery practices. When operators can retrieve or reuse secrets informally, phishing becomes easier and detection becomes slower. NHI security teams must therefore treat secret acquisition as an identity event, not just a user-awareness problem, and pair it with rotation, vaulting, phishing-resistant authentication, and access review. The same logic applies to exposed workload credentials discussed in NHIMG case studies such as the Cisco Active Directory credentials breach and the 230M AWS environment compromise.
Organisations typically encounter the operational cost of credential phishing only after a token reuse incident, at which point identity tracing, secret rotation, and containment become unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST SP 800-63 and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-02 | Secret capture and reuse are core non-human identity risks in OWASP NHI guidance. |
| NIST SP 800-63 | NIST defines authenticator strength and phishing resistance for digital identity systems. | |
| NIST CSF 2.0 | PR.AA | Credential phishing undermines authentication and identity assurance outcomes. |
Eliminate exposed secrets, prefer short-lived credentials, and detect phishing-driven secret theft.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 24, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
