Home Alone isn’t scary, it’s inspiration - Dev Dua, Tyron Kemp, Denver Abrey

cool thank you

oh I'm just going to go straight into it hi everyone um my name is uh Denver Avery from uh

[Music]

working this presentation and he is a infrastructure engineer at banks near me

try this thing out it doesn't work I'm going to move over today

I'll try to sleep okay that works um yeah I'm sorry again expenses dude now ourselves do that uh thanks emphasis inspiration we're going to talk about Canary tokens thanks a lot for giving us the opportunity to talk about yourself we we like talking about this stuff we're defense enthusiasts you live in Denver have some skins so we'll share some insights over there and we're going to cover what tokens are um why you should use them the tldr is use them they'll go through some tokens like use cases and then at the end you should be able to use the circles to paint all your own predictions Okay cool so why are Canary tokens at a

super high level it's just a unique identifier that when you interact with it it's going to send an alert um if you're familiar with a web or a tracking pixel it's just that one by one you know image that gets caught active web server and that is one of the sort of communication channels that Canary token system is important so you just can keep that in the back of your mind from now

[Music]

they're absolutely super effective a lot of tweets people giving a lot of just confirming that they do work you might run into an edge case where a token doesn't trigger and that doesn't mean that the token is not effective it comes down to understanding the nuts and bolts and how these things work will cover it and then we'll work through some strategies that you can ensure that you get your protection out of the tokens it's just a little side place I guess under the advocacy mostly we're using them in our own or corporate neighborhoods or sort of just irregular defensive operation but we do get some a lot of work being back every now and

again different types of use cases and a nice one to get is from you know law enforcement saying making area can help them to prosecute a criminal so we might understand that we're standing into we observe it as a result and you know means something to us that you know our capabilities maybe not always that's easy for a law enforcement officer but they can easily generate some Theory token and get the criminals to interact with it telemetry okay so I was always put into sort of our day-to-day life um it pretty much boils down to reducing the world time so I kind of referred to uh this one report an IBM reporter this year and it mentions on all times around

200 days it's quite a sucky number two to work with you want to kind of detect before that and respond so that's the idea with hearing tokens there are these um

be even should be doing that okay so what do they look like we're moving away from the like eye level unique identifier I think it's sort of the tangible space it could be a file a document a key anything like that tackle touches it you get alert but importantly yeah I'll probably reiterate and stress this is that at the under the under the roof it's just an HTTP request or a DNA slope that's going to trigger these alerts okay so when that um you know when that request is made it counts on the very token server you get an option of either sending another via email or a webbook or you can channels you're going to want to deploy them

everywhere and so think of well firstly you can drop them sort of onto existing infrastructure or even embed them into applications common use cases would be high value targets so let's say CFO CTO CEO starting the desktop drop something on there Cloud environments email Jack logs so if we think of uh to use a business email or compromise as an example to Accurate gains access to the mailbox starts thinking or searching for keywords like credentials passwords access and that's kind of the procedure it's going to be the same with your communication tool so someone's off your teams or site and you've gone there and it's an old message in the chat edit those keywords in there and the token

someone touches a token you know the teams has been compromised so sprinkle them all over um so now the cool thing is it doesn't matter if um if the token's executed on the endpoint where you replace it or if it's infiltrated it's still going to generate and look so an example of a token Aviation athlete would be the word Canary token so we're dropping it on an executive machine and now the attacker compromises the endpoint to grabs the document um you know Excel traits opens it up you know a week later different geographical location VPN or just coffee shop whatever just somewhere else right um and we'll still get the alert you know it's not it might not really

mean much to us but we've configured this token reminder field that says CPO is this up and with all tokens this is super important to configure this as descriptively as possible because the note saying this thing may be placed on the cqs they stop admin access let's start on investigation over there for malicious or suspicious activity okay different types of tokens uh if you ever went to the scientists see a bunch of interesting different types of tokens uh we'll be covering the web of the DNS token AWS word and then we'll Tinker with cute config and why I have got token okay so the first demo is up

okay let me just load this a bit I think that works cool okay so we're going to start off by just um creating this webwork and DNS token and then we're going to go ahead and create some more exciting types and so the reason we we do the web argument the DNS token first is just to explain again how the the topics were under the hood so these are the Primitive types the basic pulling blocks they've already been embedded into many of these other token types for you so what we're about is just a URL so I'm just going to say send it to esience now we're just going to say grip test it's really weird create

spaghetti everywhere Olivia um it says it gives you descriptions it's going to trigger if this resume and then some you know interesting questions you could include it in an image day which creates like a tracking pixel and then down here you'll get some ideas for usage embedded in a document or dock it on a page there's anything through a Brute Force group a Brute Force tool or a Corolla or something so not part of your regular application flow Okay so I'm just going to copy this little requested in my browser triggering the alert and we'll refer to have a look at the actuality in a second and what I'm going to do now is just create that other sort

of basic token as well so let's go with uh DNS token over here same email address again there we go okay and we say DNS test create token this time it's a hostname again you get the description saying if we perform a DNS lookup it's going to trigger an alert and then some interesting use cases uh drop it in your Apache history drop it in SSH config and down here is a cool example that I even sort of start building your own detection so you can see here we're tiling an auto load and then if there's a valid attempt we're just going to run the the host command over there so I'll just illustrate that as well

just a simple DNS resolution will trigger their alert okay so let's have a look at those two alerts okay so that's the HTTP alerts with our reminder that we sit over there we get our source ID and we get the user agents included and as part of that hdb pullback the DNS alert DNS test and down here that's all signp is the the last yes of event resolve for that supposing okay so let's go ahead and create some more exciting ones and so I'm going to go with a Word document and then an AWS token wordlock in it same email and it's a word doc on tyron's scanning machine as as an example clear create download token and you can

rename this in you know to something entice advertising quality to add some some data in here but essentially Ms word opening up is going to cause that that thing back by a via HTTP okay so that's that's a good doc we can see the little trickling in over there and let's have a look at the 8 USB as well here we go email address let's say AWS key on either a home assistant DM great and this time around you'll see it's just going to split up to you know a valid AWS config that you can drop each year font so I've gone ahead and added the token into this AWS credential and we can run just an S3 at this we want

okay so that's just going to say use the Amazon CLI run these three others please wait for the upward PC access denied that at uh the API key doesn't actually have access to so much but you already have the the attackers just using their key to enumerate the potential AWS and pick them up okay so that's that's the tokens that we wanted to cover here we'll see the um the word doctors come in using again the Primitive HTTP Channel word.com my gaming machine Source like the user agent and you'll notice that the AWS um alert hasn't trickled in and that's kind of the because of how the token works on the AWS pack and then we'll

cover that in a couple of moments as well okay so just reverting back to the slides to to cover what we went through um so that sorry that we bug is just a URL that you visit it's going to generate the loads and these these two variants of this token so there's a fast and a slow redirect it doesn't exactly what it is it's just going to redirect to a URL that you you specify difference between the two the slowly around it will run some JavaScript in your browser and grab extra information so you can you know redirect your company home page or if you feel like drilling someone having a recall redirect and then some

kind of okay DNS open as you saw just those things were resolve it um it triggers an alert and there's enough extra feature which will cover as well that you can repaint some data in that DNA slope up and then you've seen some additional data with your your DNS token and DNA service is super flexible if you think of um anything that's connected to the hostname provides an opportunity for you to shut in that token and then if a connection is made it's going to trigger an element and also DNS being DNS you know it's likely just going to get out the network it's not often the case where you know DNS is restricted so and

you're going to get your represents using the va's derivative Channel

value Target um using that and again it uses that basic HTTP orback mechanism so maybe some of you are thinking um what happens if I open this word for new token without internet connectivity it's not going to drill it right because you need and you leave the internet basic thing and then we found a hinted towards this when we spoke about the equipment and so I'm going to cover the AWS token and then I'll revert back to the question and just provide you with the solution of how you can who is stack is going to definitely getting and let us out of your your descriptions

um really enticing High Fidelity alerts you're not expecting uh a regular user to install awcli perform API queries and so you know I definitely recommend hit the like button use it and not tied to your infrastructure at all it just let us on our back end um yeah I mean there's credentials the factors need to use it and it's enticing because you can potentially get access to anytime AWS account okay so I'm sure that AWS really just as negative 20 into the mailbox by now and we can have a look but just to cover the sort of the nuts and bolts of this token we're monitoring for for cloudtrail events on the back end once that's

raised we send them alerts and pop Cube so if you've played around with database you know that there's houses different types of services and there are cases where some of those services like your airports don't drive a car trade event and so we made it once into the stoking where if uh degree if the creation was used but there's no Cloud relevant we'll raise the safety nuclear which is an interesting piece of the language in its own would mean by chance someone made an API call there's no code really available or you're dealing with someone with some level of sophistication or a little bit of index it really is knowledge okay so we might do that if you can see

what happens if we use a word argument and there's no connectivity involved then you go for this sort of token stacking technique and what you can see here is we've added some you know enticing information in that word this is how we get access to this AWS account please don't share these credentials and it's veneer token open it up without internet connectivity it doesn't matter attack is going to want to touch the Amazon API and you'll get your alerts everything that you can travel near anything interfacing if you can't say why I've got again okay um so keeping that in mind we wanted to see which different types of devices we could tokenize and we you know keeping

back up our mind working from our Opps the end usage we sort of asked ourselves what devices do you have at home and then you know you'll have some some people from your device laptop computer a mobile device and maybe some sort of reason you know getting your internet access so we wanted to see if we could tokenize different uh device types and this is what we came up with

so you can easily imagine you're dropping an AWS key or a Word document onto sort of a laptop or a or a desktop and then the Y what token plays pretty nicely into that removal space so we can just say why God on sirens iPhone it create and what this does is it supposed to add a QR code or I don't know why you got VPN config that you can just add to your phone so I've uh very importantly added uh you know one of these to my phone and I'll just connect to the VPN and that's going to trigger and alert as well so we'll have a look at that alerting input so that's kind of got desktop laptop

Mobile coverage I can see that alert opt-in um but we wanted to check out whether we could add some detection to your sort of little um small office home office router and so inverter came up with a detection for a Microtech and you can see here it's hosted in AWS it's just for the sake of the demo typically this is on your home network no once you attaching this other than you and we're going to try and log in earlier and I think Google will probably reminded me and then it didn't anyhow so there we go nice um so let's have a look at those two alerts over there so um which one is this okay so there's the

wire guide on my phone so I try to connect to a VPN dragging an alert and then see another one popping up over here so here we go any size make project Source ID and this time it's a DNA based alert which you can see some extra data and we'll cover that but yeah it's saying um someone's gonna need to do the Mickey take over the Web Channel the authors admin and that's the ID inside the mirror chicks there all right so that's um how we did that we can move back to the slides again is super flexible these are why you got client for almost all of the major operating systems IOS app Windows whatever so you could drop it

pretty much anywhere um I know if I compromise any point and it says or VPN I'm going to want to check out what's behind that if you can um I kind of have two ways of thinking about the token as well so you can like we did with a phone or you know another device like figure the actual VPN tunnel and then when the connection's made its triggers or you can just sprinkle the files around so maybe you have a really restricted Network Three jump boxes deep dropper why I got quantity on each jump box that way if the attacker Excel trade step one free tries to connect to that VPN you know their own channel box one

two or three so really cool token recommend using it as well

a little scripting engine so we're just monitoring there for fail long agents and then triggering that um again that derivative DNS lookup okay so interestingly there was that generic data yeah you can see it says you know the channel is one box and the user was happening from was uh the other IP can see over there and they will share some of these fun they had here in the engineering protector included in the live content cool so yeah yeah reporting of the DNS Channel um that using one of the DNS Computing tokens and managed to uh offer some difficulties actually include the generic diets into that as well so as mentioned before that's basically two

encoded um and it just forms like a prefix to the hostname that gets generated with the token and following some specific rules documented on

probably would have been pretty easy to implement using that they then promptly removed it I've seen people are having too much fun with it so they moved a pretty struck down kind of stripping environment where things are functions are kind of an exotic ask so we had to put some effort into using like simple things like just maps and lookup tables just to do a kind of getting values for ASCII characters and then another lookup table for the best 32 including but uh yeah we got it right the word works is it actually just Trails the authentication log in the vector deck you can see your style of attempts also after some problems of string pausing and matching

and then generates the base 82 prefix and uses the DNS token for that so what we thought the nice thing about this was it gives you the channel you know one box in this case but uh we think users will probably just be I guess essential something maybe it's specifically in a number of different channels you can access them over the web API https um somewhere if you really want to go live if you log in so it's good to get a little bit extra info you might uh it might help in terms of figuring out what what it was in their floating on the firewall one of those FTP that's pretty strange if someone's accessing the APL of your

own router that's really really warning and then obviously it's nice to have the username and the source IDs

[Music] so we wanted to demonstrate that these tokens are super useful on any router really um the prime example is anything on the wire or a client you know we're working on working these days people are set up the media is pretty popular for managing that so we can actually replace the wire about token and that'll just work on any region that supports our clients and a storage service we can easily just generate new one copy the conflict place it into the original to start with the contract and upgrade it call it something cool like corporate VPN or Internet or management admin info that's really exciting for an attacker to try and break into our Network they'll

definitely want to connect to that and start rummaging around and at that time they'll have triggered in the middle class um so on the bridge is you know for people like myself why I've got to find a new thing um if you either have support for that you can also just reboot this the DMS token um board you know just about any VPN function entering router so in this case we showed that it's a GLI energy or pretty much any generic brand and it supports open VPN so I'm saying it'll work

[Music]

once again so I kind of just demonstrates again I'll fix all these things that I really can't just make a lower mind everywhere and then just come up with new use cases for them uh this just shows us you know the first one was a wire called specific that total online this actually did something you want to set as a child mentioned and it's okay there's definitely require God but the next one is pretty generic so we used in this token on that uses an open VPN client and but yeah if it's not something you recognize that also might be worth investigating cool so the next thing is uh I think a lot of us end up working a lot with crcd

systems and maybe if you're working remotely pushing code to uh GitHub or GitHub or something and a lot of that is making these pretty sensible containers so I'm going to start demonstrating how we can use it also if it's just a [Music] so first we'll just have a look at what our Docker file looks like and this is just a demonstration of a basic tokenized Docker container you can put something from like a standard proposery we can do some sort of activities that I need and then the important parts are just copying a special see we went to the first rc so that um we would end up triggering this if someone just executes their container

um like they do a Docker run or they do a doctor run or some argument or they do a DOT exit into a running container you can see you can see also said that into that and we'll see how that works but cool so let's just see me what uh and what the font looks like of course friends I'll definitely just got to functions super simple version not your usual bashroxy but but I think part of the deception of the whole thing I just have to check the final share and that does has a token available

next we have a watch which is basically what let's call as soon as the script runs uh uses I don't know if I work Linux binary to watchful file system events um and uh required to want us access to anything so as soon as you try and run something that assistance so

cool um

so we can hold our container and call something more interesting like Secrets management um that's uh technical Secrets management they'd be pretty entitled to how they look for what's going on inside there and then um like who am I Inlet container um it all looks good as usual but we're all also trig and alert and you can see it's really short enough on the side yeah cool so that's the kind of Basics now we can dive into Honda CL or CE environment and they've put together this project for us just as an example and to show us uh you know how we can go about using this in a more realistic or real life scenario

and I pulled a person the the reasoning was to kind of make it look like there might be some uh private keys or certificates embedded some endless repository [Music] um and uh the the kind of sport process is if someone gets access to this repo whether it doesn't make public by accident or an attack image to compromise your GitHub server and get an account you know they've locked yourself broken around and this this looks like a pretty fantastic project or maybe the project was made public due to some inauthentic Behavior must be their coordinated other routine um yeah CR

it seems to be the only kind of active part so to meet us from a second perspective this little more I'd be interested in your followers um just if you're familiar with Intel crl or let's do this we're pulling in a pretty standard container but sort of a hundred passing name of Old Town so far is usually used in the sense of provincial management or seaport management as an attack everybody excited if I came across something like um that's being called out there and this thing looks like it's pulling out using the four behind reach assigned code so it's Justified pretend to build a deploy stage with three power plants defined and the first one just you know

is a bit like a size creates more effects so

Docker container if you want to poke around that at least from my targets because they're they're very nice and easily and [Music] first definitely want to see what's happening with those credentials and honestly like this is almost keys to the kingdom we've seen a cube conflict so pulling in a generic image name just the latest version of it like this isn't so fake tail dot container so they definitely won't be anything interested in there it's public but it looks like later on we've got this CR variable defined but that's um class and server keys to allow us to talk to the communities then so it was an attacker if I can get access to kubernetes Cluster that that's looking

pretty exciting I'm definitely going to try and run see how it gets interesting from there and let's take a look at this Parkland and see what uh well what what the output looks like I mean we're definitely from Texas perspective I want to see what the log up because I don't see if there's anything interesting there um create some artifacts so we've um in lieu I've actually broken along and I'll just rerun this Pipeline and also I've seen some of the words coming in as this goes through uh so this is a some content that we went through previously um as soon as you're doing things go back to the dogs we can maybe just have a look at this

coffee to S3 thing you know cosignificant I think too interesting happening there you can go back to that if I from Taco here oh AWS credentials seems to be getting something from Vault interesting exporting them and now they're going into the console so from again an attacker perspective I definitely want to see what's going on yeah we're going to use these credentials try and see what we've got access to doesn't give us access to an account on multiple accounts um you know how much infrastructure can we actually get out of this so as soon as you try and use them for anything unless you can demonstrated let's say AWS client or CLI and the little

immediately trigger so again you can see that when the open potentials they don't actually have access to anything even though they're holidays but as soon as they use their training mode

and then lastly just to show kind of an interesting use of the newer tokens which is the um communities token it's uh it's actually a full cube uh conflict file so you can just pass it straight into Cube CTL the user to see what happens um in this it's made to look like we we're having a cute conflict from the environment using Cube CTL and trying to just get a cluster info from it um the token itself just incredible the back end implements just enough to complete the negotiation to the point where we can give an unauthorized response which is all we need because while that's on we've already got an alert tokens down its job we know is

someone who's using this contract that really should not be if we really run that we'll probably um probably see uh so we can also just have a look at the crcd variables looks like and as expected based 64 encoded version of a cube contract and point being like we can predict very well as a mask and whatever that's just an attacker gets stuck and maintain access to the repository it's all going to be able to read the raw text 40 credit um yeah so I think that's pretty much um a reasonable overview of under a real world scenario and how to use these things and make a repository that person pass into attackers um and just kind of you know other Home

Alone maybe drop everything put your fires all over the place and of course someone does trip over and they're very exactly what I know cool so we just went through the three jobs that we had created the first one just to recap a bit of a little about script inside the container as soon as anything happens whether something's executed on the path or someone to run some internal even if it's a you know maybe someone gets access to like a good Channel I know and they're seeing us

different uh our view in terms of trying to do some Recon just um once again every interest how flexible these tokens actually are I mean three countries and many different times in this case we just use EMS this will manage to um embed a little bit of information in that alert and also obviously that token so it tells us where this came from but the second job kind of speaks to the supply chain security you know Manchester area pretty much take over the entire account so we you made it look like a simple area in terms of tea bagging that's in the united console an attacker will definitely want to Travelers use them and if they were

super like uh concerned or try to be very stealthy very much if if such an intercastle exists and I find one that doesn't lock to cloudtrail which is how we look for use of innovative tokens um even in that case we would still get an alert what star mentioned was a you know their safety net

AWS credentials into our GitHub crown and then the last one is the as I mentioned if a new token kubernetes being pretty popular we created a q conflict token so that generates a specific configuration for you you can sprinkle it around in this case we use it in our plants you can make it look like a cluster that we want to change along this kind of training and our service Community is three and they're trying to deploy some sound code um it does differ to other tokens and that it actually relies on Mutual tier list authentication so I don't Circle authenticate each other um so yeah has to implement enough of us to actually complete that negotiation to

the point where the cube CTL client believes that it is talking to a legit communities cluster then obviously we just give an unauthorized but rather something question and just one thing that it was an interesting exercise and putting this all together like we saw that hit like the 10 000 characters trying to include the queue config in a GitHub variable so the the exercises you know how do we work around that um we're just going to look at the configs or okay typically ended the ca certificate um but we could remove that save a couple lines and uh just sit like an insecure till this no very far flag and so let's check over for about 3 000

characters never managed to shut them into the CR very well the the takeaway being this was like a simple stumbling block but a little bit of creativity goes along the way and it's super easy to work around these things and it once again it speaks about the flexibility of these tokens and you can use them in really interesting ways and sort of massage them into working for you in various scenarios so again just going through the coupon for the token we just thought there's an environment variable and as mentioned before as soon as we get that animal authorized response back it's already too late uh we know there's an attacker using this config and um yeah the token

has done a bit so yeah and just moving on from that there is a pretty widely distributed like crc3 Matrix and it kind of gives a number of scenarios with an attacker in my Expo which is the uncv system and how you make a compromise and the point of this is not to go through everything but just sort of like you know choose a couple and say and we use a canary trainers but some interesting way to avoid these situations or at least divert us on this so I think that's our chain compromise of our clcd I think we've recovered that pretty extensively like some of where to run that job we would definitely learn about it

um Wireless rejecting source code you know an attacker might think they need to use the Vault credible we'll use that Vault Docker container to transcend something we definitely can can alert on that and check the code it's pretty similar modifying clcd configuration if it's over the last or doing workbooks on any modification to a repo so we can just connect those to like our Canary token robot and we're getting alert on that as well maybe that's just kind of creative use of existing Primitives but I don't think that possibly used ultimately I think the the takeaway is that a lot of these situations can be at least Connecticut

so that's uh that's all I understand the CRC he's have um [Music] um yeah I think we're open to questions now and uh yeah Merry Christmas and that uh that is a line from both alone uh it's not uh yeah

it's pretty cool um I'm curious so the efficacy of these tokens obviously depend on your back end being up but since the purpose are free how sustainable is the business

and now um the back ends up all the time um if you don't trust it you can go visit your own Community has the you can kind of apologize to create your own and then the business has the commercial offering has its own you get your sort of single dinner console and that has its own um Canary to open server yeah but um for a pretty long time it's well known and that's uh they're just kind of giving something back alongside the commercial product which is exceptionally popular in a weekly that's it it's available on a single continent so it's it's not going away anytime soon and it's uh it's a service we want to

keep up because it uh you know it helps people who helps make people aware of us and have time as an open source version of it so if you don't trust us things going then use it that way thank you um I'm wondering about sort of like uh um so what would happen if you know if attackers start getting more sadly and recognizing the canary tokens either you know so that they can automatically avoid them and that becomes commonplace and there's any way to predict against that and then also is there any mitigation if they stop recognizing it and example start just flooding notifications in to kind of like you know disguise the triggers like once

they realize triggeration pop that they'll dislike you with all the triggers they can find so far everything to actually see which triggers a meaningful yeah so there's there's definitely you know a way to uncover that it's a kinetic token you do Google a lot enough to find scripts and things that can um do that for you so if you host your own Canary token um server you can change that in your own domain and that way it's not hosted on Canary tokens.org and then it's just a regular DNS traffic and it's going to be pretty hard to distinguish so that's just it's just a DNS to look up so um this kind of ways to defend against

that and again you you come up with level strategies like stacking tokens like AWS token inside the water document that word document doesn't have to be a canary token it can be a regular Word document how are you going to know that that's an error token so this ways around that and it's only all your second questions over electricity like spamming you with with tokens uh sure I guess someone can spam you with alerts um but on that initial interaction that's all you need right I placed a spoken on box one whether you send me one or a thousand dollars I don't get like you touch the thing that pushed over there let's go check it out okay

maybe just a quick follow-up question then is there any integration um for Canary tokens to you know existing sort of like in a tripwire style tools uh yeah so the fusion detection systems like I said I'm the I'm the sales guy so it's hard to be not too perfect to the commercial staff um but the with the three tokens there's a weird looking email so you can go do something other way with an issue um and then the commercial offering it there's a bunch of different integration options getting that into your regular Sims or log collect the ticketing system work whichever works over there

parties actually using Canary tokens as well so for instance what you see when it's malware groups actually forming other companies jira 95s that kind of thing eventually you're probably gonna end up with the therapy from not that I'm saying that you're it's like any tool right as when you become good you you find some favor right so any any thoughts on that um yeah it's pretty easy like I can give you ammo you can build it or break the door you know that's that's going to be the case um I did interesting prior to this and I use tokens offensively first time around upload them get a pink back oh [ __ ] like there's like speaking out of the

internet they're trying active so yeah that's there like use it either you want to use it use it for their own purpose but don't prevent someone from taking their ambulance managing to go down so that's my idea thank you

hi there thanks is something about kidnapping in case um are they like are you success stories outside of like intoxic ated included on the slide uh just fictitiously so we do get some holdbacks from from law enforcement I've been up against saying saying thanks and one that I recently spoke to someone about was Labor teaching someone about secure document practices and they're using Canary tokens as that try and open the document without triggering inside the thing so it's not primarily used to reduce dwell time in your aluminum network but this weird and wonderful ways to use them and we get those sort of thing back I don't have the the insight to share it it was this you know

law enforcement agency that said this on the same time but I I can assure you even online stuff defense