AiTM Feed Subscription

Automatically block Adversary in The Middle and other account takeover attacks

Stop Account Takeover Attacks Before They Start.

The AiTM Feed by Lab539 delivers proactive, real-time threat intelligence focused exclusively on identifying and tracking malicious infrastructure used for Adversary-in-the-Middle (AiTM), and other similar, attacks. These attacks bypass traditional MFA and are a primary threat vector for modern organizations. By actively hunting down this infrastructure, rather than waiting for it to feature in an attack, our feed helps transforms your security posture from reactive to proactive and integrates seamlessly with your existing tooling.

Key Features & Microsoft Ecosystem Integration:

• Conditional Access Policy Power:

• • Consume our specialized named location feeds directly within your Conditional Access Policies.

  • Proactively block authentication attempts and access to your environment from any location identified as AiTM infrastructure.

  • Ensure your strongest defense at the most critical entry point: the logon prompt.

• Seamless Microsoft Defender Integration:

  • Automatically feed Indicators of Attack (IOA) directly into your Microsoft Defender deployment in real-time.

  • Instantly block users from accessing known AiTM phishing sites.

  • Raise immediate, high-fidelity alerts on your security dashboard when users interact with malicious infrastructure.

• High-Volume, High-Fidelity Data:

  • Our active hunting methodology yields up to 16,000 new AiTM records per day, providing an unparalleled view of the current threat landscape.

  • Receive updates in real-time to ensure your defenses are always current.

• Full API Access for Custom Use Cases:

  • Access all data via a flexible API, complete with full Swagger documentation.

  • Integrate the feed data into custom systems, run local queries, and power in-depth security investigations tailored to your unique needs.

  • If you prefer to self host, you can access everything you need via the API

The Proactive Security Advantage:

At Lab539, we believe in defense that begins before the attack. By actively hunting down malicious infrastructure and sharing these IOAs, the AiTM Feed empowers you to stop attacks before they happen.

When you do threat intelligence right victims are not a prerequisite.

Enhance your security by taking advantage of our proactive security solution.

Which Size Plan Do I Need?

All of our plans include the same feature set. Pricing is based upon the number of users who benefit from the feed.

We consider a user to be an active user within your Entra ID environment, web application, or wherever you plan to use the feed. (i.e. a user that logs in on at least once per quarter).

If you plan to use the feed solely for manual investigation purposes (e.g. investigating incidents or carrying out research), rather than for integration into an authentication process, then we recommend the small subscription plan.

We don't set a limit on number of API queries on any of our plans, however, we may throttle heavy users to 1 request per second - if you intend to make lots of queries then you may find you're better off just pulling down batches of data for offline querying (with a simple API call you can pull down everything we've added in the last 7 days).

Self Hosting

The API means that, if you prefer, it is possible to self host your own service rather than consenting to the permissions which we require. We provide an ARM template for this, so you can deploy your own Microsoft logic app to perform named location updates without a need to consent to any permissions. Although you are obviously free to write your own code if you wish.