AiTM

Recently I stumbled over a nice post from Wesly Neelen who built an AiTM phishing toolkit based on a cloudflare worker. Although ‘prooven’ AitM phishing toolkits such as evilginx provide more capabilities in terms of flexibility and robustness I wanted to setup my own phishing toolkit that runs serverless on Azure — based on Azure Functions to phish some Entra ID credentials and cookies. Advantages of serverless phishing toolkits # Serverless platform solutions such as Cloudflare workers, AWS lambda and Azure functions provide some advantages to phishing toolkits that are server-based: No Infrastructure as a Service (IaaS) resources like virtual machines and public IP addresses are required, this allows faster deployments, easier scaling and comes with low costs Serverless platforms often have pooled outbound IP addresses that are dynamically assigned by the cloud provider No DNS domain name or name server entries are required as the cloud provider assigns URLs to the serverless functions As the domain names, IP addresses and certificates are issued and managed by the cloud provider, this goes usually hand-in-hand with better reputation Let’s do AiTM Phishing with Azure Functions # Demo # The following demo provides a quick overview about the Azure AiTM Function and the replay of the cookies in an incognito browser window: