Adversaries have shifted from basic credential harvesting to sophisticated Adversary-in-the-Middle "AiTM" campaigns that intercept real session cookies and OAuth tokens, bypassing multi-factor defenses. This talk analyzes modern phishing techniques—including OAuth consent hijacking, browser-based MITM proxies, and token-binding attacks—and demonstrates two revolutionary serverless approaches that serve as the ultimate stealthy platforms for phishing operations.
We'll explore dual cutting-edge techniques - First, Cloudflare Workers with their global CDN, free TLS, and scriptable edge logic. Second, a groundbreaking single-file approach using Express (node.js) packaged into a portable JavaScript file that can be deployed with one-click across any legitimate PaaS platform Azure, AWS, DigitalOcean, Heroku, Vercel, Railway, etc.). Together, these techniques create invisible proxies that leverage both edge computing and
legitimate cloud infrastructure with zero indicators of compromise.
This dual-pronged approach enables red teams to establish distributed, resilient phishing infrastructure that appears entirely legitimate to security tools and investigators, operating seamlessly across both specialized edge platforms and mainstream cloud services.
The session will detail Microsoft EntraID defenses (token binding, risk-based sign- in, consent screens, and FIDO2/passkeys), followed by an in-depth examination of bypass methods using both Cloudflare Workers and multi-PaaS deployment strategies. We'll explore the end-to-end WebAuthn/passkey flow and reveal advanced MITM strategies that can subvert FIDO protections. We'll also cover methods for minimizing browser telemetry and share defensive best practices.
Attendees will gain exclusive insight into newly developed methods techniques spanning both edge computing and legitimate cloud platform deployment.
