#OOTB2025BKK - Cloud Edge Phishing: Breaking The Future Of Auth - Carlos Gómez Quintana

Adversaries have shifted from basic credential harvesting to sophisticated Adversary-in-the-Middle "AiTM" campaigns that intercept real session cookies and OAuth tokens, bypassing multi-factor defenses. This talk analyzes modern phishing techniques—including OAuth consent hijacking, browser-based MITM proxies, and token-binding attacks—and demonstrates two revolutionary serverless approaches that serve as the ultimate stealthy platforms for phishing operations. We'll explore dual cutting-edge techniques - First, Cloudflare Workers with their global CDN, free TLS, and scriptable edge logic. Second, a groundbreaking single-file approach using Express (node.js) packaged into a portable JavaScript file that can be deployed with one-click across any legitimate PaaS platform Azure, AWS, DigitalOcean, Heroku, Vercel, Railway, etc.). Together, these techniques create invisible proxies that leverage both edge computing and legitimate cloud infrastructure with zero indicators of compromise. This dual-pronged approach enables red teams to establish distributed, resilient phishing infrastructure that appears entirely legitimate to security tools and investigators, operating seamlessly across both specialized edge platforms and mainstream cloud services. The session will detail Microsoft EntraID defenses (token binding, risk-based sign- in, consent screens, and FIDO2/passkeys), followed by an in-depth examination of bypass methods using both Cloudflare Workers and multi-PaaS deployment strategies. We'll explore the end-to-end WebAuthn/passkey flow and reveal advanced MITM strategies that can subvert FIDO protections. We'll also cover methods for minimizing browser telemetry and share defensive best practices. Attendees will gain exclusive insight into newly developed methods techniques spanning both edge computing and legitimate cloud platform deployment. === Carlos Gómez Quintana is a Security Consultant at IOActive, specializing in Red Team operations and offensive security. As one of the youngest professionals to join the firm, he conducts advanced penetration testing, adversarial simulation, and security research across diverse enterprise environments. At IOActive, Carlos focuses on cutting-edge security research, including automotive security where he has developed novel attack techniques such as rollback agnostic replay attacks against vehicular systems. He regularly conducts Red Team engagements that simulate real-world adversarial scenarios for enterprise clients. Carlos is an active security researcher and contributor to Maldev Academy, where he has contributed to the phishing section and active research on malware development.