CybserSecurity News

Tag: TokenFlare

  • The Serverless Spectre: How TokenFlare is Redefining M365 Phishing with Built-In Intune Bypasses

    TokenFlare

    Serverless AITM Phishing Simulation Framework for Entra ID / M365

    Features

    • Lean: Core logic (in src/worker.js only ~530 lines of JavaScript).
    • Modular: Supports a number of OAuth flows, with Intune Conditional Access bypass support out of the box
    • Easily tweaked: Set up client branding, URL structure (custom lure path and parameter), final redirect after completing auth, and more, with the semi-interactive tokenflare configure campaign subcommand.
    • Local or remote deployment: Supports getting SSL certs with Certbot for you, or deployment to CF directly.
    • Built in OpSec: bot and scraper blocking, your campaign wouldn’t be burnt in 10 minutes.
    • Fast: get working, production ready infra within minutes.

    Advanced Use Cases & Future Development

    TokenFlare is under active development. Current and planned features include:

    • Better campaign management: More commands for existing infra, for example infra cf listinfra cf remove <worker>.
    • Token redemption: The /oauth2/v2.0/token endpoint support for exchanging authorization codes for access and refresh tokens (WIP)
    • Passkey downgrade attacks: Techniques for environments with FIDO2/passkey requirements
    • Turnstile/reCAPTCHA integration: For scenarios requiring additional bot protection
    • Static HTML responses: Custom landing pages before or after the Auth is complete, for if you’d not want to redirect the user away.
    • Entra Terms of Use bypass: For environments with ToU acceptance requirements

    How TokenFlare Works

    TokenFlare phishing framework

    The core concept is straightforward:

    1. User clicks your lure URL and hits the TokenFlare Worker, which runs the 530 lines of JavaScript in worker.js
    2. Worker initiates an OAuth2 authorization flow against login.microsoftonline.com
    3. User sees Microsoft’s legitimate login page (with your client branding if configured)
    4. User enters credentials and completes MFA
    5. Microsoft returns session cookies (ESTSAUTHESTSAUTHPERSISTENT) to the Worker
    6. Worker captures and forwards credentials/cookies to your webhook
    7. User is redirected to a legitimate destination (e.g., the real SharePoint site they expected)

    All the TLS, routing, and edge infrastructure is handled by CloudFlare. Your Worker is just ~530 lines of JavaScript focused on the proxy logic and credential interception.

    Install & Use