Shared passwords, sensitive documents: mailboxes are great targets for attackers. Would you know they were targeted? We’ve got your back! Our Office 365 token deploys to thousands of mailboxes in minutes and alerts you when someone is snooping around.
Why an Office 365 Mail token?
Enterprises have been flocking (ha) to Office 365 for years now and a large number of Thinkst customers are using it. The Canaries will detect attackers on their networks, but nothing lets them know if an attacker has compromised a single mailbox and is snooping around.
Canarytokens are great at becoming high fidelity tripwires in places that other tools can’t easily go. You can quickly head over to https://canarytokens.org to create a token, and then place it in Bob’s mailbox, but how does this work for an entire office? Will it work for an entire org?
Easy!
The Office 365 Mail token can drop a pre-written, tokened email into multiple mailboxes at once. We insert the emails into mailboxes automatically, so it avoids getting caught by email security filters. We avoid dropping it in the default inbox so users won’t stumble on it accidentally, but an attacker searching for booty can still quickly find it and trigger an alert.
Deploying the Token
- Log into an Office 365 account that has the proper permissions (details here). Bonus – this token also works with on-prem Exchange implementations – see the link above for details.
- Log into your Canary Console and choose the Office365 Mail token under Canarytokens
- Select the mailboxes to token from the list presented to you
- You now have tokened mailboxes, which will be displayed in the list of enabled Canarytokens
- Wait for some unsuspecting attacker to stumble upon the email. To test yourself, search for “password reset” and you’re likely to find the gift we left for attackers.
Wrapup; What’s Next?
For more thoughts on Canarytokens, check out our post on the AWS API Key token. The official documentation for Canarytokens is a concise and useful read as well.