Bypassing MFA with Serverless AiTM: A Look at TokenFlare

TLDR: TokenFlare is a new, lightweight framework that automates Attacker-in-the-Middle (AiTM) phishing by leveraging serverless functions to proxy authentication flows. By automating the capture of session cookies and credentials, it effectively bypasses traditional MFA implementations like SMS or push notifications. Pentesters can use this tool to test conditional access policies and demonstrate the risks of session-based attacks in modern cloud environments.

Modern authentication is shifting away from static passwords, but the underlying reliance on session tokens remains a massive blind spot. While organizations scramble to implement MFA, they often fail to account for the fact that once a session is established, the token itself becomes the keys to the kingdom. Attackers have known this for years, but the tooling required to execute a reliable AiTM attack has historically been clunky, resource-intensive, and difficult to customize for specific engagement needs.

TokenFlare changes this by moving the infrastructure into the serverless realm. Instead of managing a dedicated VPS or wrestling with complex reverse proxy configurations, this framework uses cloud-native functions to handle the heavy lifting. It turns the entire phishing infrastructure into a lean, manageable, and highly portable set of scripts.

The Mechanics of Serverless AiTM

At its core, TokenFlare functions as a sophisticated reverse proxy. When a target clicks a lure URL, the framework intercepts the request and forwards it to the legitimate Identity Provider (IdP), such as Microsoft Entra ID. The user interacts with what they believe is the real login page, enters their credentials, and completes their MFA challenge.

Because the framework sits in the middle, it captures the resulting session cookies as they are returned from the IdP. These cookies are then exfiltrated to the attacker, who can import them into a browser to impersonate the user without ever needing to solve the MFA challenge themselves. This is a classic implementation of T1557-adversary-in-the-middle, but the serverless architecture makes it significantly more resilient and easier to deploy during a red team engagement.

The framework is built on a simple Python wrapper that handles the deployment of the core logic, which is written in JavaScript. This separation is intentional. The Python CLI manages the environment, handles the configuration, and automates the deployment to platforms like Cloudflare Workers. The actual proxy logic is contained in a single, lightweight file, making it trivial to audit or modify for specific test scenarios.

Streamlining the Engagement Workflow

One of the biggest hurdles in AiTM phishing is the operational overhead. You need to handle SSL certificates, manage redirects, and ensure the phishing page looks identical to the target's environment. TokenFlare automates these tasks through a series of simple commands:

python3 tokenflare.py init <domain>
python3 tokenflare.py configure cf
python3 tokenflare.py configure campaign
python3 tokenflare.py deploy remote

The configuration process is interactive, guiding the operator through the necessary setup, including defining allowed IP addresses for testing and configuring the target tenant. This is a massive improvement over manual proxy setups where a single misconfiguration in the redirect logic can break the entire flow. By using a wrangler.toml file to manage variables, the framework allows for rapid iteration and version control of the phishing campaign.

Testing Conditional Access Policies

The real value of this tool for a pentester lies in its ability to test Conditional Access Policies. Many organizations assume that requiring a managed device or a specific browser will stop an attacker. TokenFlare allows you to manipulate the User-Agent and other request headers to simulate different device profiles.

If a client has a policy that only allows access from specific browsers or managed devices, you can configure the framework to present the necessary headers to the IdP. This allows you to demonstrate that these controls are often bypassable if the attacker can successfully proxy the authentication flow. It shifts the conversation from "we have MFA" to "how do we protect the session token once it is issued?"

Defensive Considerations

Defending against AiTM attacks requires moving beyond simple MFA. If an attacker can capture a session cookie, they can bypass even the most robust MFA setup. Organizations should prioritize the implementation of FIDO2-based hardware security keys, which are cryptographically bound to the origin and cannot be proxied by an AiTM framework.

Additionally, monitoring for anomalous sign-in patterns, such as impossible travel or logins from unexpected IP ranges, remains critical. While TokenFlare attempts to blend in by using legitimate cloud infrastructure, the underlying traffic patterns to the IdP will still differ from a standard user session. Blue teams should focus on detecting the initial redirection to the phishing domain and the subsequent use of stolen session tokens in their environment.

The shift toward browser-based attack vectors is not slowing down. As we move more of our workflows into the cloud, the browser becomes the primary endpoint for both users and attackers. Tools like TokenFlare are a reminder that our security assumptions need to evolve as quickly as the infrastructure we are testing. If you are not already incorporating session-based attack simulations into your red team engagements, you are missing a significant portion of the modern threat surface. Download the TokenFlare repository and start testing your assumptions against your own infrastructure.