Skip to content

Microsoft Word Honeytoken Enterprise

A Microsoft Word honeytoken embeds a hidden trigger in a .docx document. Opening the file records the interaction and raises an incident.

Category: File

Configuration

OptionRequiredDescription
NoteYesWhere you placed the honeytoken

No extra options beyond the note.

After creation

Download the .docx file from the wizard.

Placement examples

Download the document and place it where an attacker might browse:

  • A shared network drive folder named "Backup", "Archive", or "Old" : folders that IT might legitimately create but that no day-to-day workflow touches
  • A cloud storage path like SharePoint > Finance > Restricted or Google Drive > HR > Confidential, where access requires elevated permissions
  • A home directory or desktop of a service account that is never actively used

Rename the file to something enticing if appropriate (e.g. salary_review.docx, confidential_memo.docx). When someone opens the file, you receive an incident.