The vast majority of successful attacks that Lab539 observe relate to credential theft. A large proportion of these now also bypass multi factor authentication controls such as Microsoft Authenticator.
To mitigate these attacks we created some rather clever (and we believe unique) capability to detect and block the infrastructure which will be used for these attacks before it has even been fully deployed, and usually long before the attacks start. This is not a feed of IP addresses that have been observed carrying out nefarious activities, this is a feed of infrastructure that is are about to carry out nefarious activities. We proactively detect Evilginx and other front and back end AiTM infrastructure.
We provide feeds to allow you to protect your environments in a number of different ways:
API - Webhooks - Seamless Microsoft conditional access integration
Subscribe to the most advanced Adversary in The Middle feed available
AiTM Feed Comparison
Documentation
API Quickstart
Full API documentation is available at https://aitm.lab539.io/ but here is a handy quick reference to hit the API from the command line:
Curl
curl -s -H "Authorization: Bearer <YOUR_API_KEY>" https://aitm.lab539.io/search/hostname/microsoft
Windows Powershell
Invoke-RestMethod -Uri "https://aitm.lab539.io/search/hostname/google" -Method Get -Headers @{Authorization = 'Bearer <YOUR_API_KEY>'}
Incorporate our AiTM feed into your services
If you provide security services you can enhance them by incorporating our AiTM feed transparently into your service, allowing your customers to benefit from real time AiTM tracking.
Get in touch and we’ll custom build a package tailored to your specific needs
Get in Touch
Can’t find the right package for you? Want to sanity check something before you subscribe? Would rather pay by invoice? Interested in incorporating our feed into your services? or something else? The get in touch: