Creating a self hosted Azure Logic App to periodically query the Lab539 AiTM API and update a named location - allowing you to have real time updated conditional access policies.

Which file hosting provider is really being impersonated the most in the file hosting attacks that Microsoft disclosed recently?

Guide to setting up the conditional access named location feed for the Lab539 AiTM service.

Information on how to create a conditional access policy in Microsoft Entra ID that blocks access from a list of IP’s - in this case a list of Tor IPs

This post is a summary of 6 months tracking AiTM campaigns using a rather clever technique we have devised that allows us to identify the backend infrastructure before it is used.

The cyber defenders kill chain emphasises the different stages of an attack in a manner relevant to defenders. It’s central to how we, at Lab539, craft effective tailored cyber defences that protect critical functions.

Adversarial tradecraft is not rigid, it can and does evolve. Spending more time studying adversaries is not unhelpful but we much prefer to keep things on our own terms, to control how adversaries must operate, and the tradecraft they must use. This is the first of a series of posts on our thinking and how we look at things a little differently in order to achieve that elusive feeling of confidence in our defences.

The cyber threat to the oil and gas sector is very real. We take a look at some recent incidents and provide some guidance to those defending OT networks.

Lab539 delved into the negotiations which the Akira ransomware group conduct with their victims in order to provide and share some insights.

Found credit card numbers online, then use leaked.cards report them safely and securely.

Free LimaCharlie lookup for known Linux malware hashes pulled from various sources including the Lab539 sensor network.