Canarytokens are simple by nature and are designed to retrieve as much information as possible. The information that is returned in the token alert, solely depends on the type of token that has been triggered.

For example, the PDF token uses DNS for its alerting channel. What this means is, the PDF token will only alert you on the IP address of the last DNS server that handled the request and will not contain the internal IP address of the attacker.

The MSWord token on the other hand uses both DNS and HTTP for its alerting channels. If the HTTP request is successful, the alert will contain more information. It is also possible that the HTTP token will contain the internal IP address as well. This is dependant on a bug within the attackers browser that is used to leak the internal IP address. If the bug is not present within the browser, the alert will not contain the internal IP address of the attacker.

The good news is that even if the internal IP address is not alerted on, you still have a starting point for your investigation.

i.e : the location that the token was stored (File Server, Laptop, etc).

Note : We have a MSWord (Macro-enabled) token that is currently in beta testing. The MSWord (Macro-enabled) token will return more information (including the internal IP). We'll be releasing the Macro token once we have it fine tuned.