The Serverless Spectre: How TokenFlare is Redefining M365 Phishing with Built-In Intune Bypasses

TokenFlare

Serverless AITM Phishing Simulation Framework for Entra ID / M365

Features

  • Lean: Core logic (in src/worker.js only ~530 lines of JavaScript).
  • Modular: Supports a number of OAuth flows, with Intune Conditional Access bypass support out of the box
  • Easily tweaked: Set up client branding, URL structure (custom lure path and parameter), final redirect after completing auth, and more, with the semi-interactive tokenflare configure campaign subcommand.
  • Local or remote deployment: Supports getting SSL certs with Certbot for you, or deployment to CF directly.
  • Built in OpSec: bot and scraper blocking, your campaign wouldn’t be burnt in 10 minutes.
  • Fast: get working, production ready infra within minutes.

Advanced Use Cases & Future Development

TokenFlare is under active development. Current and planned features include:

  • Better campaign management: More commands for existing infra, for example infra cf listinfra cf remove <worker>.
  • Token redemption: The /oauth2/v2.0/token endpoint support for exchanging authorization codes for access and refresh tokens (WIP)
  • Passkey downgrade attacks: Techniques for environments with FIDO2/passkey requirements
  • Turnstile/reCAPTCHA integration: For scenarios requiring additional bot protection
  • Static HTML responses: Custom landing pages before or after the Auth is complete, for if you’d not want to redirect the user away.
  • Entra Terms of Use bypass: For environments with ToU acceptance requirements

How TokenFlare Works

TokenFlare phishing framework

The core concept is straightforward:

  1. User clicks your lure URL and hits the TokenFlare Worker, which runs the 530 lines of JavaScript in worker.js
  2. Worker initiates an OAuth2 authorization flow against login.microsoftonline.com
  3. User sees Microsoft’s legitimate login page (with your client branding if configured)
  4. User enters credentials and completes MFA
  5. Microsoft returns session cookies (ESTSAUTHESTSAUTHPERSISTENT) to the Worker
  6. Worker captures and forwards credentials/cookies to your webhook
  7. User is redirected to a legitimate destination (e.g., the real SharePoint site they expected)

All the TLS, routing, and edge infrastructure is handled by CloudFlare. Your Worker is just ~530 lines of JavaScript focused on the proxy logic and credential interception.

Install & Use

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Crypto QR Code
USDT (TRC20):
TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm
USDT (ERC20):
0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce