The vast majority of successful attacks that Lab539 observe relate to credential theft. A large proportion of these now also bypass multi factor authentication controls such as Microsoft Authenticator.
To mitigate these attacks we created some rather clever (and we believe unique) capability to detect and block the infrastructure which will be used for these attacks before it has even been fully deployed, and usually long before the attacks start. This is not a feed of IP addresses that have been observed carrying out nefarious activities, this is a feed of infrastructure that is are about to carry out nefarious activities. We proactively detect Evilginx and other front and back end AiTM infrastructure.
We provide feeds to allow you to protect your environments in a number of different ways:
API - Webhooks - Seamless Microsoft conditional access integration
Subscribe to the most advanced Adversary in The Middle feed available
One Time Purchase
AiTM Feed Comparison
Documentation
API Quickstart
Full API documentation is available at https://aitm.lab539.io/ but here is a handy quick reference to hit the API from the command line:
Curl
curl -s -H "Authorization: Bearer <YOUR_API_KEY>" https://aitm.lab539.io/search/hostname/microsoft
Windows Powershell
Invoke-RestMethod -Uri "https://aitm.lab539.io/search/hostname/google" -Method Get -Headers @{Authorization = 'Bearer <YOUR_API_KEY>'}