Someone is using Evilginx to target customers of Onfido, part of Entrust, with a malicious Google advert that comes above the legitimate Onfido advert 🤯 Yes that us[.]com domain is actually an evilginx server - guess which advert is the malicious one

Doesn't look like whoever is behind the AiTM on Tesco Bank has hit the go button yet or have been very targeted. Fortunately our AiTM Feed customers have been protected for a little while already. #AiTM aitm-feed.com

I’m an Incident Responder on the AWS Customer Incident Response Team (CIRT). And I get asked a lot of questions, like: “Where do I even start with incident response in the cloud?” Here’s a beginner-friendly thread on AWS IR tips — with a few lessons I learned 🧵👇

This is not a drill! I'm investigating. May share some analysis if I get the time. I suspect there will be some central infrastructure co-ordinating it that we need to take out of action. #AiTM

Today would be a good day to block authentication from 2a0b:7140:8:1:5054:ff:fe10:9356 in your conditional access policies. Backend of several active AiTM campaigns (targeting Microsoft accounts). #ThreatIntel #IndicatorsOfAttack

Expect the lures to relate to documents (e.g. PDFs) being shared and/or webmail related activity.

If you're reading the Microsoft Threat Intelligence report on Void Blizzard, things to note, the *.micsrosoftonline[.]com IOC they share was deployed on 5th+6th March 2025, so focus your hunts there. It was Evilginx and there were several subdomains (Cloudflare fronted)

Someone targeting M&S again? Or targeting MSN? You decide: *.mnsonlines[.]lat - 185.165.44[.]25, previously 209.74.81[.]5 Positive #AiTM detection::Action=block

Can anyone recommend a service that provides good reverse IP lookup data (i.e. DNS records associated with an IP address)? VirusTotal is the obvious answer but is cost prohibitive other options don't seem to have the richness of data. Willing to pay.

If you'd like a copy of Aeza's prefixes (AS216246) as sanctions were announced we've dropped a copy here: drive.proton.me/urls/2Z9AV54FC…

It's not just MS users targeted by AiTM, here is one (live now) targeting users of the Australian Gov services: australiaqovlodgmentservces[.]org

Forced myself to write up a (non)incident where our AiTM feed successfully foiled an AiTM attack utilising redirects, workers[.]dev and other techniques we're commonly seeing. Interesting to see re-use of existing infrastructure too. aitm-feed.com/blog/aitm-non-… #AiTM

OK, that got burned just now. So here is another targeting Coinbase by the looks of it which drops some very obsfucated powershell on your clipboard: #ClickFix

Azure Front Door AiTM Phishing aitm-feed.com/blog/azure-fro…

Technical deep dive into some current AiTM infrastructure using Azure Front Door and some other rather clever techniques. aitm-feed.com/blog/azure-fro… #AiTM

Github down for everyone or just me?

If you want to block ShadowCaptcha campaigns blocking these three domains will help: - cloudshielders[.]com - analytiwave[.]com - analyticanoden[.]com There is heavy geo/user-agent/os detection going on, so you may not see click-fix but your users might #clickFix #shadowCaptcha

Block login from AS24875 (1337 Services) and AS18450 (Evoxt) you'll squash some of the most prolific #voidproxy infrastructure. Block workers[.]dev you'll block a lot of frontend #voidproxy chains too. Aitm-Feed users can just toggle those on, takes 1 second!

We tracked #ClickFix infrastructure for a while. Turns out there is a lot of overlap with #AiTM infrastructure. Find our dataset of 13k+ hosts in this blog post: aitmfeed.com/r/RWx

My regular reminder whenever a vendor discloses a 0-day on an edge device: Patching it doesn’t fix the breach that already happened. If it was exposed for months, patching it is like changing the front door lock while the burglars are already in your living room.