Available Feeds
Complete reference of all threat intelligence feeds provided by AiTM Feed.
Overview
Named Locations - Block authentication attempts from malicious infrastructure using Microsoft Conditional Access Policies.
Indicators - Prevent users from accessing frontend AiTM infrastructure (phishing sites) using Microsoft Defender.
Non-Microsoft Environments
- Named Locations: Extract
cidrAddressfrom JSON for IP ranges/CIDR blocks - Indicators: Extract
indicatorValuefrom JSON for hostnames/domains
Named Location Feeds
Core AiTM Infrastructure
This is specific infrastructure that we have identified being involved in malicious AiTM related activity
| Feed | Description | Update Frequency | Risk | Considerations | API Endpoint |
|---|---|---|---|---|---|
| AiTM | Backend infrastructure performing authentication relay attacks | Real-time (every 5-15 min) | Critical | Core feed - enable this first | aitm |
| AiTM 1-5 | Overflow feeds for primary AiTM (Microsoft Named Location size limits) | Real-time (every 5-15 min) | Critical | Populated with test IP 54.242.109.54 when empty |
aitm1-5 |
Sanctioned & Bulletproof Hosting Providers
These are providers who are widely used for malicious activity ans whos business model revolves around this. These providers are rarely used for legitimate purposes.
| Provider | Description | Update | Risk | Notes | Endpoint |
|---|---|---|---|---|---|
| Media Land | Russian bulletproof hosting, sanctioned Nov 2025 (US/UK/AU) | 6 hours | High | Extremely unlikely legitimate use | medialand |
| Stark Industries | Bulletproof hosting (includes The.Hosting, UFO42), multi-country sanctions | 6 hours | High | Infrastructure changes occasionally | stark |
| Xhost | Xhost Internet Solutions LP, sanctioned by some countries | 6 hours | High | Infrastructure changes occasionally | xhost |
| Aeza Group | OFAC sanctioned July 2025 for hosting ransomware/malware ops | 6 hours | High | Includes Hypercore, Smart Digital, DataVice | aeza |
| 1337 Services | Bulletproof hosting, repeated AiTM infrastructure | 6 hours | High | Endpoint uses lowercase "L": l337services | l337services |
| Evoxt | Ace Datacenters, repeated AiTM hosting | 6 hours | High | Extremely unlikely legitimate use | evoxt |
| Vdsina | Repeated malicious infrastructure hosting | 6 hours | High | Extremely unlikely legitimate use | vdsina |
Cloud & VPS Providers
These are providers who we see being used extensively for AiTM related activity, but who would be considered legitimate proivders serving non-malicious customers.
| Provider | Type | Update | Risk | Key Considerations | Endpoint |
|---|---|---|---|---|---|
| Zenlayer | Legitimate cloud provider | 6 hours | Med | Multiple proxy networks/exit nodes used in attacks. Monitor for false positives | zenlayer |
| Global Connectivity | Cloud provider (globconnex) | 6 hours | Med | Regular AiTM attack stream | globconnex |
| RouterHosting | VPS (now Cloudzy) | 6 hours | Med | Not bulletproof, but frequently used. Unlikely user authentication | routerhosting |
| DigitalOcean | Major cloud provider | 6 hours | Med | Responsive to abuse. Check if you host apps here before blocking | digitalocean |
| Bunny | Communications + broadband | 6 hours | Med-Low | Higher legitimate use - provides broadband services. Specific IPs in core AiTM feed | bunny |
| HostPapa | Cloud hosting | 6 hours | Med | Attracts adversaries. Check if you host apps here | hostpapa |
| Hostinger | Cloud hosting | 6 hours | Med | Frequently used in attacks. Check if you host apps here | hostinger |
| M247 | M247 Europe SRL | 6 hours | Med | Widely used in AiTM and other attacks | m247 |
| HostRoyale | HostRoyale Technologies | 6 hours | Med | Check if you host apps here | hostroyale |
Network & Anonymity Services
These are services, such as VPNs which we have observed being involved in AiTM related activity
| Service | Purpose | Update | Risk | Important Warnings | Endpoint |
|---|---|---|---|---|---|
| Tor Exits | Tor exit nodes (where traffic leaves Tor network) | 30 min | Varies | Legitimate privacy use. May impact journalists, activists. Nodes retained 7 days. Does NOT include relays | tor-exits |
| Express VPN | VPN service infrastructure | Ad-hoc | Legit | Legitimate service. Blocks users who use Express VPN. Incomplete list (infrastructure is dynamic) | expressvpn |
Indicator Feeds
These are frontend feeds relating to AiTM activity (e.g. phishing sites)
| Feed | Type | Description | Update | Action | API Endpoint |
|---|---|---|---|---|---|
| AiTM Indicators | Frontend URLs/domains | Phishing sites users may access | Real-time (pushed every 15 min) | Warn (users can proceed, alert always raised) | aitm |
Shared Hosting Platforms
Adversaries often host on legitimate platforms. Indicators target specific URLs/hostnames but be aware of shared hosting scenarios.
Quick Reference Guide
Recommended Feed Configuration
| Priority | Feeds to Enable | Why |
|---|---|---|
| Essential | AiTM + AiTM 1-5 | Core backend infrastructure blocking |
| Highly Recommended | All sanctioned/bulletproof providers | Minimal false positive risk, maximum protection |
| Recommended | Cloud providers (if you don't host there) | Balance protection vs operational impact |
| Conditional | Tor Exits | Only if legitimate Tor use is not expected |
| Avoid Unless Policy Requires | Express VPN | Impacts legitimate VPN users |
Update Frequency Summary
| Frequency | Feeds |
|---|---|
| Real-time (5-15 min) | AiTM core, AiTM 1-5, AiTM Indicators |
| 30 minutes | Tor Exits |
| 6 hours | All hosting provider feeds |
| Ad-hoc | Express VPN |
Polling Recommendations (Self-Hosted)
- Real-time feeds: Poll every 10-15 minutes
- Hourly feeds: Poll every 30 minutes
- 6-hour feeds: Poll every 3-6 hours
Lab539 Hosted: We push updates automatically every 5 minutes when changes occur.
API Usage
All feeds use the same authentication pattern:
curl -H "Authorization: Bearer YOUR-API-KEY" \
https://aitm.lab539.io/v1.0/named-location/{feed-name}
Example:
Get your API key from the Lab539 Portal.
Risk Level Guide
| Icon | Level | Meaning |
|---|---|---|
| High | Sanctioned or bulletproof hosting. Minimal legitimate use expected | |
| Medium | Legitimate providers frequently abused. Check operational impact | |
| Medium-Low | Legitimate services with higher false positive potential | |
| Legitimate Service | Only block if organizational policy requires |
Getting Started
- Enable core feeds: AiTM + AiTM 1-5
- Add sanctioned providers: All high-risk feeds
- Evaluate cloud providers: Enable if you don't host applications there
- Test and monitor: Watch for false positives in first 48 hours