Description: Create tokened mails in Office 365 / Exchange Online mailboxes across your organization.
Note: Tokens are generated in the user's Archive folder. If the mailbox does not have an Archive folder the process is aborted for that user.
Follow the steps below to tokenize a mailbox.
Log in to your Console.
Click Add a new Canarytoken.
Create a new token by selecting Office 365 Mail Bug from the drop-down list.
Click on Let's begin (1 of 4).
Modify the token options and paragraph text to your desired scenario and click on Save Template (2 of 4).
Mail Subject: This can be changed to whatever you want the subject of the mail to be. (Use something that would catch the eye of an attacker.)
Mail Content: You can change the content of this mail, we have given you a template to work from.
Note: The Office 365 mail token will require permissions and a Role Group to be configured, which we will do below.
Head over to the Exchange admin center.
Expand the Roles drop-down and click on Admin Roles.
Click on Add role group to create a new role group.
Name the role Canarytoken (or something else if you'd prefer) then click Next.
Search for and select the ApplicationImpersonation and Mailbox Search roles to the new admin role.
Add a user to the new role group.
Note: The user must be an admin and will be used to authenticate on the Canary Console for temporary access to token the user mailboxes.
Once your selected admin has been added, click next for the role group creation success screen.
We can now close the Exchange Admin Center.
Note: Once this role has been assigned to a user, it can take a bit of time to reflect ~ 30 minutes in some cases.
Return to your Canary Console, where you can now click on Authorize via OAuth.
Here you can provide a comma-separated list of emails you would like to tokenize.
Then click on Insert Tokens (4 of 4) to finalize the tokenization.
Success, you are now presented with a summary report of the process.
Note: The OAuth access token granted to us will only be used for the duration of the tokening. It is destroyed after all mailboxes are tokened.