By using files with canary tokens as tripwires, investigators can create an early warning system for potential collection activities before a data exfiltration infringement occurs.

By strategically placing these files on endpoints, network shares, FTP servers, and collaboration platforms such as SharePoint or OneDrive, the canaries monitor for access and automatically trigger an alert if an action is detected.

Sections

ID	Name	Description
ME028	Delegated Access via Managed Service Providers	An organization entrusts a Managed Service Provider (MSP) with administrative or operational access to its digital environment - typically for IT support, system maintenance, or development functions. This access is often persistent, privileged, and spans sensitive infrastructure or data environments. The means is established when MSP personnel, including potential subjects, are permitted to authenticate into the client’s environment from systems or networks entirely outside the client's visibility or jurisdiction. These MSP endpoints may be unmanaged, unmonitored, or physically located in regions where customer organization's policies, incident response authority, or legal recourse do not apply. This creates an unobservable access channel: the subject operates from infrastructure beyond the reach of the customer organization's logging, endpoint detection, or identity correlation. The organization is therefore unable to monitor or verify who accessed what, when, or from where—rendering all downstream actions unauditable by the customer organization's internal security teams, unless mirrored within the client-controlled environment. The exposure can be compounded by the MSP’s internal controls (or lack thereof). Weak credential custody practices, shared administrative accounts, inadequate background checks, or poor workforce segmentation create conditions where privileged misuse or unauthorized access can occur without attribution or immediate detection. The subject does not require escalation—they begin with sanctioned access and operate under delegated trust, often without the constraints applied to internal staff. This structural dependency - privileged access held externally, without enforceable oversight - creates the necessary conditions for an insider infringement to occur with low risk of interruption or accountability.
PR004.001	Network File Exploration	A subject may search for, or otherwise explore files on a Network Attached Storage (NAS) device to identify sensitive information.
PR004.002	Collaboration Platform Exploration	A subject may search for or otherwise explore files on a Collaboration Platform (such as SharePoint, OneDrive, Confluence, etc) to identify sensitive or valuable information.
PR006.003	Security Enumeration via File System	A subject attempts to identify security software on a target system by looking through the file system to identify relevant directories or files.

References

https://canarytokens.org/nest/