The Serverless Spectre: How TokenFlare is Redefining M365 Phishing with Built-In Intune Bypasses
TokenFlare
Serverless AITM Phishing Simulation Framework for Entra ID / M365
Features
- Lean: Core logic (in
src/worker.jsonly ~530 lines of JavaScript). - Modular: Supports a number of OAuth flows, with Intune Conditional Access bypass support out of the box
- Easily tweaked: Set up client branding, URL structure (custom lure path and parameter), final redirect after completing auth, and more, with the semi-interactive
tokenflare configure campaignsubcommand. - Local or remote deployment: Supports getting SSL certs with Certbot for you, or deployment to CF directly.
- Built in OpSec: bot and scraper blocking, your campaign wouldn’t be burnt in 10 minutes.
- Fast: get working, production ready infra within minutes.
Advanced Use Cases & Future Development
TokenFlare is under active development. Current and planned features include:
- Better campaign management: More commands for existing infra, for example
infra cf list,infra cf remove <worker>. - Token redemption: The
/oauth2/v2.0/tokenendpoint support for exchanging authorization codes for access and refresh tokens (WIP) - Passkey downgrade attacks: Techniques for environments with FIDO2/passkey requirements
- Turnstile/reCAPTCHA integration: For scenarios requiring additional bot protection
- Static HTML responses: Custom landing pages before or after the Auth is complete, for if you’d not want to redirect the user away.
- Entra Terms of Use bypass: For environments with ToU acceptance requirements
How TokenFlare Works
The core concept is straightforward:
- User clicks your lure URL and hits the TokenFlare Worker, which runs the 530 lines of JavaScript in worker.js
- Worker initiates an OAuth2 authorization flow against
login.microsoftonline.com - User sees Microsoft’s legitimate login page (with your client branding if configured)
- User enters credentials and completes MFA
- Microsoft returns session cookies (
ESTSAUTH,ESTSAUTHPERSISTENT) to the Worker - Worker captures and forwards credentials/cookies to your webhook
- User is redirected to a legitimate destination (e.g., the real SharePoint site they expected)
All the TLS, routing, and edge infrastructure is handled by CloudFlare. Your Worker is just ~530 lines of JavaScript focused on the proxy logic and credential interception.
Install & Use
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
USDT (TRC20):
TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm
USDT (ERC20):
0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce
