Overview

AiTM Feed delivers real-time intelligence on the proxy infrastructure behind Adversary-in-the-Middle attacks - the fastest growing method of credential theft against Microsoft 365 environments. Our active hunting methodology identifies up to 16,000 new AiTM records per day and feeds

them directly into your Microsoft security stack, letting you block account takeover attempts during the attacker’s preparation phase rather than during incident response.

This is not a phishing URL feed

Most threat feeds focus on the phishing pages that users see. AiTM Feed focuses on what sits behind them: the reverse-proxy backends that intercept credentials and steal session tokens in real time, rendering MFA ineffective. These are the servers that actually perform the account takeover. By identifying and blocking this infrastructure, you cut off the attack at its source - regardless of how many phishing URLs the attacker spins up.

What changes when you deploy AiTM Feed

• Conditional Access gains named locations populated with active AiTM infrastructure. Authentication attempts originating from these locations are blocked at the logon prompt - before credentials are proxied, before tokens are stolen.
• Microsoft Defender receives Indicators of Attack in real time, preventing users from reaching identified AiTM infrastructure and raising high-fidelity alerts when interaction is attempted.
• Your SOC spends less time investigating compromised sessions and more time on threats that actually made it through. The result is fewer account takeover incidents, fewer compromised sessions, and a security posture that addresses AiTM proactively rather than reactively.

Integration in minutes, not weeks

AiTM Feed was built for Microsoft environments:

• Named locations feed directly into Conditional Access
• IOAs feed directly into Defender
• No agents, no log forwarding, no infrastructure to maintain

If you prefer, we provide an ARM template so you can self-host the integration using your own Azure Logic App. Same data, same protection, entirely within your tenant.

Full API access for custom workflows

Every record is accessible via our REST API with full Swagger documentation. Integrate with your SIEM, enrich your SOAR playbooks, run local investigations, or pull the full dataset for offline analysis. One API call retrieves everything added in the last 7 days.

FAQs

Which plan size do I need?

All plans include the same features and the same data. Pricing is based on the number of active users who benefit from the protection the feed offers.

Using the feed purely for investigation or research? The small plan covers that regardless of your organisation size.

There are no caps on API queries although heavy usage may be throttled to 1 request per second, but bulk pulls are available for high-volume use cases

Can I use this with non-Microsoft environments?

Yes. Our API allows integration with any security platform. While our managed services focus on Microsoft environments, the underlying data works anywhere.

How is this different from Microsoft's built-in protection?

Microsoft's security tools detect threats reactively. AiTM Feed identifies adversarial infrastructure proactively, often long before attacks are launched - our feed flagged Void Blizzard infrastructure roughly a month before Microsoft reported the campaign. We identified Scattered Spider's infrastructure similarly early. The vast majority of our detections never appear in Microsoft's (or other security provider's) feeds at all.

Microsoft builds excellent security tooling. What it lacks is early-stage threat intelligence for AiTM infrastructure. AiTM Feed provides that intelligence and delivers it directly into the tools you already have - Conditional Access, Defender - so it's immediately actionable without any additional infrastructure.

What Microsoft licenses do I need?

If you wish to benefit from our integrations with Microsoft's technologies - For Named Locations, you need Entra ID P1 or higher. For Defender Indicators, you need Microsoft Defender for Endpoint.

All data is available via the API without the need for any Microsoft subscription at all.