ADVERTISEMENT

Canary tokens: threat hunting with digital trip wires

Canary tokens are digital "tripwires" that function like honeypots, designed to send a notification when triggered by a threat actor.

Threat hunting hacker trap

Image by Cybernews.

Jesse William McGraw
Jesse William McGraw Contributor
Mar 24, 2025 4 min read
Niamh Ancell Stefanie chrissw emmaw
Get our latest stories today on Google News
Add us as your Preferred Source on Google.

The versatility of digital tripwires

Embedding token URLs in email

Important considerations before deployment

  1. Visit https://canarytokens.org or a similar service to generate the canary token.
  2. Select ‘Web Image’’ as the token type.
  3. Enter your email address to receive the notifications and a custom alert message for yourself.
  4. Copy the generated tracking URL, which will appear like the following: http://canarytokens.com/tags/terms/et4txs649l0i1g0yg925lw19gP/submit.aspx
  5. To embed it, simply add an html image source tag: < img src="http://canarytokens.com/tags/terms/et4txs649l0i1g0yg925lw19gP/submit.aspx" >
Canary Token
Image by Cybernews.
ADVERTISEMENT
Printscreen
Image by Cyernews.

How to embed canary token in EXIF data

  1. Select Web Bug from canarytoken.org and generate the token.
  2. Now let’s open exiftool by simply typing "exiftool" in the Windows command prompt or Linux terminal.
  3. Now type exiftool -Title="Confidential Report" -Subject="For Internal Use Only" -Keywords="EnteryourtokenURLhere". Next, drag and drop the image, document, or file you want to embed the exif data and hit enter.
Jesse screenshot
Image by Cybernews.
Screenshot Jesse
Image by Cybernews.
Alerts history
ADVERTISEMENT