Getting Started with AiTM Feed
Welcome to AiTM Feed - the most advanced proactive threat intelligence service for Adversary-in-the-Middle attacks.
What is AiTM Feed?
AiTM Feed provides proactive threat intelligence that blocks credential theft attacks before they succeed. We hunt down AiTM infrastructure and share it with you in real-time, enabling you to prevent attacks rather than respond to them.
The Problem
Traditional threat intelligence is reactive - it relies on breaches happening first. By the time most organizations learn about AiTM infrastructure, attackers have already stolen credentials from victims elsewhere.
Our Approach
We're proactive. Lab539 actively hunts for AiTM infrastructure before it's used in attacks. This means that you can:
- Block infrastructure before your users are targeted
- Protect against emerging attack techniques (like ConsentFix campaigns)
- Stay ahead of sophisticated groups (we blocked Void Blizzard infrastructure weeks before Microsoft's disclosure and Scattered Spider before certain high profile incidents)
What's Included?
Every AiTM Feed subscription provides access to all components:
-
Named Locations
Block authentication from AiTM infrastructure using Microsoft Conditional Access Policies. Updated automatically as we discover new threats.
-
Defender Indicators
Feed AiTM infrastructure directly into Microsoft Defender. Block phishing sites at the endpoint and receive alerts when users attempt access.
-
REST API
Full access to our AiTM dataset for custom integrations, investigations, and threat hunting. Query by IP, hostname, or pull recent discoveries.
By The Numbers
16k+
New AiTM records daily
400%
Increase in AiTM activity (2024-2025)
23+
Threat intelligence feeds
During 2025 the number of detections we made per day peaked at around 16,000. Fortunately, most of the time, it is a lot less than that. Nevertheless, we've seen a huge increase in AiTM over recent years. We compile what we learn about adversaries using AiTM techniques into over 23 different feeds and pass them to our subscribers.
Quick Start Guide
1. Sign Up & Access Portal
Start your 30-day free trial and log into the Lab539 Portal using your Microsoft or Google account.
2. Choose Your Integration
Select the integration methods that fit your environment:
| Integration | Best For | Setup Time |
|---|---|---|
| Named Locations | Blocking authentication from AiTM infrastructure | 10 minutes |
| Defender Indicators | Endpoint protection and alerting | 5 minutes |
| API | Custom integrations and investigations | Varies |
3. Configure Your Feed
Follow our setup guides to enable your chosen integrations:
- Lab539 Hosted (Recommended) - We manage everything, you just enable the integration
- Self-Hosted - Deploy your own automation using our API
4. Verify Protection
Once configured, your environment is protected:
- Authentication attempts from AiTM infrastructure are blocked automatically
- Users accessing phishing sites receive browser warnings
- Security alerts appear in your Microsoft Defender dashboard
Who Uses AiTM Feed?
Enterprises
Protect Microsoft 365 environments with automated Conditional Access integration
MSSPs
Scale protection across multiple client tenants
SOCs
Access current and historical threat data for investigations and threat hunting
SaaS
Protect customers/users from attacks targetting their accounts.
Choose Your Path
New to AiTM Feed?
- Find out how AiTM attacks work
- Read the Feed Overview to understand how this feed helps you mitigate AiTM attacks
- Explore Use Cases to see how different organizations can benefit from the feed
- Follow our Quickstart Guide for fastest deployment
Ready to Deploy?
- Named Locations Setup - Block at the authentication layer
- Defender Indicators Setup - Protect endpoints
- API Integration - Build custom solutions
Need Help?
- Support: aitmfeed.com/support
- Portal: portal.lab539.io
- API Docs: Swagger Documentation
Common Questions
How quickly are new threats added to the feed?
New AiTM infrastructure is added to our feeds within minutes of discovery. Our managed service ensure your protection is updated in real-time.
Do I need all three integration methods?
No. Many customers start with Named Locations for authentication blocking, then add Defender Indicators and API access as needed. All are included in your subscription. Your use case might be different to others, so we just give you all of the options.
What Microsoft licenses do I need?
For Named Locations, you need Azure AD Premium P1 or higher. For Defender Indicators, you need Microsoft Defender for Endpoint.
Can I use this with non-Microsoft environments?
Yes! Our API allows integration with any security platform. While our managed services focus on Microsoft environments, the underlying data works anywhere.
How is this different from Microsoft's built-in protection?
Microsoft provides excellent reactive protection after attacks have occured. We provide proactive intelligence - blocking infrastructure before it's used against anyone. We're complementary to Microsoft's security stack.
Ready to get started?