Introducing the Office 365 Mail Token

Shared passwords, sensitive documents: mailboxes are great targets for attackers. Would you know they were targeted? We’ve got your back! Our Office 365 token deploys to thousands of mailboxes in minutes and alerts you when someone is snooping around.

Why an Office 365 Mail token?

Enterprises have been flocking (ha) to Office 365 for years now and a large number of Thinkst customers are using it. The Canaries will detect attackers on their networks, but nothing lets them know if an attacker has compromised a single mailbox and is snooping around.

Canarytokens are great at becoming high fidelity tripwires in places that other tools can’t easily go. You can quickly head over to to create a token, and then place it in Bob’s mailbox, but how does this work for an entire office? Will it work for an entire org?


The Office 365 Mail token can drop a pre-written, tokened email into multiple mailboxes at once. We insert the emails into mailboxes automatically, so it avoids getting caught by email security filters. We avoid dropping it in the default inbox so users won’t stumble on it accidentally, but an attacker searching for booty can still quickly find it and trigger an alert.

Deploying the Token

To deploy this token, there are a few easy steps.

  1. Log into an Office 365 account that has the proper permissions ( details here ). Bonus - this token also works with on-prem Exchange implementations - see the link above for details.
  2. Log into your Canary Console and choose the Office365 Mail token under Canarytokens
  3. Select the mailboxes to token from the list presented to you
  4. You now have tokened mailboxes, which will be displayed in the list of enabled Canarytokens
  5. Wait for some unsuspecting attacker to stumble upon the email. To test yourself, search for “password reset” and you’re likely to find the gift we left for attackers.

When someone stumbles upon the trap, you’ll receive an alert like this one.

While it's difficult to rule out false positives altogether, we employ a few tricks to avoid them that require no additional effort on your part. First, we place the email in the archive folder, reducing the chance of legitimate users finding this email in their own inbox. Second, because we insert the email directly into the mailbox, we avoid security gateways inspecting tokens directly and creating false positives.

Tokens like this are great for the attacker details they give you, but would also be useful just as a heads up. Someone just searched for password reset emails in Bob’s mailbox. This is probably something you should be aware of.

Wrapup; What's Next?

With the Office 365 Mail token, we’ve gone from some basic token ingredients to something that simply scales to hundreds of mailboxes in the same 3-4 minutes it takes to deploy a Canary. That's it - quick, easy and likely to catch the bad guys.

For more thoughts on Canarytokens, check out our post on the AWS API Key token. The official documentation for Canarytokens is a concise and useful read as well.


  1. Unfortunately, to access the software, you must purchase a license that is valid for life. Am I right, guys?

  2. I have heard a lot about Office 365 and I can't understand what is it for? You are able to download a full Microsoft pack without buying anything.

  3. A motivating discussion is worth comment. I do think that you should publish more about this subject matter, it might not be a taboo subject but typically people don't speak about these subjects. To the next! Best wishes!!
    VAC Was Failed to Verify the Game Session

  4. I appreciate your blog information.I also using office 365.But did not no so much about that news information. But I faced a problem that was sometimes could not open Microsoft word file .I could not understand thatOffice Setup was proper way or not. I reinstalled but could not be solve.

  5. Excellent post. Your information is very detailed and useful to me, thank you for sharing. We provide affordable
    PHD Thesis Writing Services

    Best Thesis Writing Service

  6. Windows OEMSW is a global Microsoft Office and Windows product key supplier. Our company is a

  7. We offers Assignment Help to the students by the help of its expert Assignment Writers. Our professional writers are the highest degree holder from top universities. Our writers help you with direct communication in Assignments.
    law homework help