Description: Similarly to a Word or Excel document Canarytoken, Google documents can be tokenized too. When the document is opened, an alert will be generated on your Console with the viewer's account username (if they are signed in) and localization of their browser.
Follow the steps below to create a Google Docs/Sheets Canarytoken:
Log in to your Console.
Select the Canarytokens tile.
Select your preference of Docs/Sheets token from the list.
Over time, you will deploy thousands of tokens all over the place. Make sure that your Reminder is as descriptive as possible, and will remind you in the future of where the token was dropped. It may create confusion if a token generated an alert that reads “test" - and not remembering where you placed it.
Reminder: Consider including the intended name of your document in the reminder.
Share with email: Enter the Google account email that would like to use to create the document.
Go ahead and click on Create token when you are ready to generate the document.
Click the Copy token button and paste the link in a new browser tab where you are signed in with the Google account from the previous step.
You will now land on the Canarytoken template document. Here you will find the next steps to finalise the Canarytoken creation.
Create a copy of the sheet to be imported into your Google Drive account by clicking on the File drop-down menu and then selecting Make a copy.
Note: You will be prompted with the below pop-up, don't rename the document just yet and instead click OK.
A copy of the document will now have been created on your Google Drive, Wait a moment and the content of the document will change to reveal the next steps.
You can now go ahead and rename and move the document to your requirements. (Take note of your original reminder on Step 4.)
Note: If you'd like to spread the document around and get alerts when other people open it rather than just detecting your account being compromised. It's a good idea to share the document and create a link with editor permissions for anyone. This will ensure that anyone who lands on the document will be able to open it and trip the token.
Once renamed and placed, you can activate the Canarytoken by clicking on the Canarytokens menu item and selecting Activate token.
During the activation process, you will be prompted with a couple of dialogue boxes, this will give the Canarytoken the bare minimum set of permissions to function.
Once started, select Continue at the below prompt.
Select the Google Account that you are using to create the token.
Select Allow at the below prompt.
An alert is triggered when the document is opened.
The IP address shown will be Google owned, this is because the token is executed by Google's App scripting engine and not the viewers browser.
Note: If the document viewer belongs to the same Google Workspace domain as the user, the document viewer's account email will be displayed in the alert.
Note : If the attacker is not signed in. (opened the document with an anonymous shared link.) Or exists outside of the owners Google workspace domain, the attackers email will not be shown.
This is due to a limitation in the Google Apps Scripting engine and is referenced here.
You're done! ;-)