2025-12-13 –, Track 3
AiTM phishing has become the dominant technique for compromising Microsoft cloud identities - the identity perimeter of the majority of organisations in the UK. Yet most available emulation tools are either clunky or brittle. Red teams need something lightweight and practical to mirror the same tradecraft threat actors now buy off the shelf.
TokenFlare is our answer: a modular, serverless AiTM framework that runs in Cloudflare Workers with minimal setup. Built for operators, it clones sign-in flows seamlessly, supports conditional access bypasses, and scales without infrastructure pain. We've battle-tested it in engagements for over a year, and now we're releasing it as open source.
This talk introduces TokenFlare's design, showcases its capabilities, and shares lessons from real-world red team campaigns using the toolkit. Attendees will leave with a deeper understanding of modern AiTM techniques and a practical, reproducible framework to emulate adversaries or strengthen defences.
TI shows AiTM phishing has become frictionless for threat actors and frustrating for defenders, particularly as Entra-ID dominates enterprise identity. While adversaries benefit from slick phishing-as-a-service kits purchased on Dark Web, red teams are left with open-source options that either are clunky to deploy, break target UX, or hide behind steep, sometimes paywalled, learning curves.
TokenFlare was built to close that gap. It’s a serverless AiTM framework running entirely in Cloudflare Workers - about 450 lines of JavaScript that replicate adversary-grade phishing tradecraft with minimal setup. With a single command, operators can deploy an environment that clones Microsoft sign-in flows seamlessly, captures post-MFA tokens, and keeps non-targets safely redirected. Under the hood, it offers bot blocking, IP allowlisting, conditional access bypass, and notifications through Slack or any webhook.
We'll show how TokenFlare works in practice: from initial deployment through to lessons learned from using it in production for more than a year. We'll highlight how defenders can detect these techniques, and walk through its open-source release.
Head of adversary simulation at JUMPSEC - loves all things cloud native, aka the Entra ID guy within our team.