XposedOrNot for MISP

Pull request under review  MISP/misp-modules#789

The XposedOrNot expansion module enriches email attributes in MISP with data-breach exposure: which breaches an address appears in, when, how many records were exposed, which data classes leaked, and how passwords were stored. It works both as a hover module (instant summary tooltip) and as an expansion module (one attribute per breach added to your event).

What you get

Hovering an email attribute shows a summary like:

Email exposed in 202 data breaches (XposedOrNot), first: 2009, latest: 2026, risk: Critical

Expanding adds one attribute per breach, each carrying the detail in its comment:

Sysco - breached: 2026 | 2,699,339 records | domain: sysco.com | exposed: Email addresses; Names; Phone numbers | password risk: unknown | verified: Yes

Supported attribute types

InputOutput
email, email-src, email-dst, target-email, whois-registrant-email text attributes (misp_standard format, correlation disabled)

Installation

Once merged (pull request currently under review): the module ships with misp-modules. Update your misp-modules install, then enable xposedornot under Administration → Server Settings → Plugin settings → Enrichment.

Today (manual install): copy xposedornot.py into misp_modules/modules/expansion/ in your misp-modules installation and restart the misp-modules service. No further configuration is required.

Configuration

None required. The module uses the free, keyless community API out of the box. Optionally, set api_key in the module's plugin settings (get a key at plus.xposedornot.com) to switch to the commercial Plus API with higher rate limits, recommended for busy instances.

Rate limits

Keyless community API: 2 requests/second, 25/hour, 100/day per IP. When the limit is reached the module returns a clear message rather than failing silently. The optional commercial key raises these limits.

Privacy: only the queried email address is sent, over TLS, to xposedornot.com; nothing else leaves your MISP instance. Breach exposure tied to an email address is personal information; use it within lawful, authorised investigations. See our privacy policy.

Links