coalmine.py

#!/usr/bin/python3
import re
import zipfile
import argparse
from urllib.parse import urlparse

from colorama import Fore
from colorama import Style
from colorama import init


init()

ignore_list = list({
    'purl.org',
    'microsoft.com',
    'openxmlformats.org',
    'w3.org',
}) # use of set within list ensures that all items are unique

alert_list = list({
    'internalcanarytokendomain.org',
    'canarytokens.com',
})

url = re.compile("(https?:\/\/[\w.-]+[\/\w .-]*)")

ap = argparse.ArgumentParser()
ap.add_argument("--input", "-i", required=True, help="Input file")

args = ap.parse_args()

with zipfile.ZipFile(args.input) as doc:
    match = []

    for i in doc.filelist:
        with doc.open(i.filename) as file:
            for line in file:
                match.extend(url.findall(line.decode('utf-8')))

    match = list(filter(
        lambda x: not any((urlparse(x).hostname.endswith(y) for y in ignore_list)),
        match
    ))

    for item in match:
        if any((urlparse(item).hostname.endswith(y) for y in alert_list)):
            foreground_color = Fore.RED
        else:
            foreground_color = Fore.YELLOW
        print(foreground_color + item + Style.RESET_ALL)

this is cool! we need a powershell one ;)

Awesome stuff, really useful if you know the destination URL, but if someone is running their own Canary Token instance under a customer domain you may not find it. I started something similar here https://github.com/n3tsurge/detect-canary/blob/main/detect-canary.py that detects the actual embedding technique Canary Tokens uses (at least for DOCX for now) but I never finished it

Powershell version, it's janky but works :)

https://gist.github.com/C0axx/ebf65d863ee708464287c7040b15162a