🛠️ Tool
===================

Opening:
TokenFlare is an open-source, serverless Adversary-in-the-Middle (AiTM) phishing framework focused on Entra ID and Microsoft 365 authentication flows. The project packages capabilities to capture post-authentication artifacts (session cookies, tokens) and to exchange them for API access via Microsoft Graph.

Key Features:
• Credential and session capture: captures credentials and session cookies at phishing interaction time.
• Serverless infrastructure: designed to run on serverless platforms (notably Cloudflare Workers) to provide TLS, scalability, and obfuscation of hosting.
• Post-auth exploitation path: uses captured session material to perform actions via Graph API for lateral access or demonstration purposes.
• Operational tooling: interactive campaign configuration, webhook delivery of captured artifacts, and built-in bot/anti-automation protections.

Technical Implementation:
• Architecture centers on a stateless serverless front end that handles the phishing interaction, stores minimal transient state, and forwards captured session material to a collector endpoint.
• Use of session cookies and tokens enables exchange into API access where permissions permit; the framework demonstrates how post-auth artifacts can be reused to query Microsoft Graph.
• Design choices prioritize low overhead for operators: SSL and bot protection are provided by the hosting platform, while credential delivery is webhook-driven.

Use Cases:
• Red team engagements that aim to test identity controls without deploying agents to endpoints.
• Purple-team exercises demonstrating the impact of exposed session tokens and inadequate session revocation.
• Security assessments focused on conditional access, token lifetimes, and Graph API permissions.

Limitations and Considerations:
• Effective operation depends on the hosting platform and on captured artifacts that retain validity; short token lifetimes or strong conditional access policies reduce efficacy.
• Detection requires correlating anomalous token use, session reuse, and unexpected Graph API calls originating from novel serverless hosts.
• Not novel in technique: commoditised AiTM kits exist on underground markets; TokenFlare provides an authorized testing equivalent.

References and Context:
• The framework was used in 15+ engagements and publicly demonstrated at a security conference; it is published as an open-source project for authorised testers.

🔹 tool #M365 #Cloudflare #Entra_ID #phishing

🔗 Source: https://labs.jumpsec.com/tokenflare-serverless-AiTM-phishing-in-under-60-seconds/

Using PostgreSQL with .NET and Entra ID
https://devblogs.microsoft.com/dotnet/using-postgre-sql-with-dotnet-and-entra-id/

#microsoft #NET #Azure #cloud #entra_id #postgres #postgresql