/
On this page
E-mail OSINT
Email OSINT involves discovering, verifying, and investigating email addresses.
Email Discovery tools
These tools allows to:
- Search by company domain to identify email patterns and find employee addresses with their roles
- Perform bulk collection and export of emails from domain searches
- Find emails using a person’s name combined with their company
- Integrate with professional networks and email platforms through browser extensions
They typically offer features like pattern identification, department filtering, and monthly search limits on free tiers
Email Verification tools
- Confirm email exists without contacting
- Validate findings
- Avoid alerting targets
There are many tools for email verification.
Use Cases
Investigations:
- Link sock puppets to real identities
- Connect multiple accounts
- Verify email ownership without direct contact
Penetration Testing:
- Verify email enumeration
- Confirm account existence
- Gather information for social engineering
Email Pattern Analysis
Common Corporate Patterns
| Pattern | Example | Notes |
|---|---|---|
| First.Last | john.doe@company.com | Most common |
| FLast | jdoe@company.com | Initial + last |
| FirstLast | johndoe@company.com | No separator |
| First | john@company.com | Small companies |
| FirstL | john.d@company.com | Initial only |
| Last | doe@company.com | Rare |
How to Determine Pattern
- Use Hunter.io - Often shows pattern
- Search for one known email - “john.doe@company.com”
- Analyze multiple results - Look for consistency
- Test variations - Try pattern with target name
Real-World Example
Company: TCM Security
- Found: heat@tcm-sec.com, rizwan@tcm-sec.com
- Pattern: firstname@company.com
Company: Tesla
- Found: emusk@tesla.com, multiple variations
- Pattern: {first initial}{lastname}@tesla.com
- Also: Some use full names, others initials
Integration with Other OSINT
Workflow Example
Investigation Goal: Find email for Bob Jones at Target Company
Step 1: Google search
"Bob Jones" "Target Company" emailStep 2: Hunter.io
- Search targetcompany.com
- Identify pattern: {f}{last}@targetcompany.com
- Predict: bjones@targetcompany.com
Step 3: Verify
- Use Email Hippo to check bjones@targetcompany.com
- Result: Valid
Step 4: Additional verification (if needed)
- Forgot password technique on related accounts
- Check breach databases
- Cross-reference LinkedIn