AiTM phishing has become the dominant technique for compromising Microsoft cloud identities - the identity perimeter of the majority of organisations in the UK. Yet most available emulation tools are either clunky or brittle. Red teams need something lightweight and practical to mirror the same tradecraft threat actors now buy off the shelf.
TokenFlare is our answer: a modular, serverless AiTM framework that runs in Cloudflare Workers with minimal setup. Built for operators, it clones sign-in flows seamlessly, supports conditional access bypasses, and scales without infrastructure pain. We've battle-tested it in engagements for over a year, and now we're releasing it as open source.
This talk introduces TokenFlare's design, showcases its capabilities, and shares lessons from real-world red team campaigns using the toolkit. Attendees will leave with a deeper understanding of modern AiTM techniques and a practical, reproducible framework to emulate adversaries or strengthen defences.
