Certification Courses
Hands-On Labs
Threat Intelligence
Latest Cyber News
MITRE ATT&CK Breakdown
All Cyber Keywords
Latest News
⚠ ATT&CK T1589.002 , Initial Access Precursor
Gather Victim Identity: Email Addresses The Gateway to Every Phishing Attack
Adversaries systematically harvest email addresses from corporate websites, LinkedIn profiles, WHOIS records, and data breaches to build target lists for phishing, BEC, and spear-phishing campaigns. This is the reconnaissance step that precedes some of the most financially devastating cyberattacks in history , turning publicly available information into weapons of social engineering.
Tactic: Reconnaissance
Sub-technique: T1589.002
Platform: Enterprise
Risk: Critical
9:12 AM
9:47 AM
10:03 AM
10:31 AM
11:15 AM
Corporate Websites
Public contact pages, press releases, team directories listing employee emails
LinkedIn / Social Media
Employee profiles with company email patterns, job titles, department info
WHOIS / Data Breaches
Domain registration contacts, leaked credentials, third-party databases
📦 Data Sources
✉
✉
✉
✉
✉
🔒 Attacker's Harvested List
⚠ BEC Attack Chain Visualization
1. Reconnaissance
Harvest emails from website, LinkedIn, WHOIS
2. Spoofed Email
Impersonate VP of Finance with lookalike domain
3. Wire Transfer
Urgent request to CFO for $1.8M payment
4. Money Lost
Funds vanish to offshore shell company
⚙ Email Address Derivation from Employee Names
Section 02
Why Email Addresses Matter
Email addresses are the foundational reconnaissance artifact that enables the most costly cyberattacks worldwide. Understanding their role in the threat landscape is critical for every security professional.
$55B
Total BEC losses 2013–2023
Source: FBI IC3 PSA
Source: FBI IC3 PSA
$16.6B
2024 IC3 total cybercrime losses
Source: FBI IC3 / NACHA
Source: FBI IC3 / NACHA
$8.5B
BEC losses reported 2022–2024
Source: FBI IC3 / NACHA
Source: FBI IC3 / NACHA
193,407
Phishing/spoofing incidents in 2024 (#1 crime)
Source: FBI IC3 / Proofpoint
Source: FBI IC3 / Proofpoint
Email addresses represent the single most valuable piece of publicly available intelligence an adversary can obtain about a target organization. Unlike credentials, which require exploitation or theft, email addresses are often published openly on corporate websites, embedded in WHOIS domain registration records, exposed through LinkedIn and social media profiles, or leaked in third-party data breaches. This accessibility makes email harvesting the most common starting point for adversarial reconnaissance , and the gateway to some of the most devastating attacks in cybersecurity history.
Business Email Compromise (BEC) has emerged as the costliest cybercrime globally, with the FBI IC3 reporting $55 billion in cumulative losses between 2013 and 2023. In 2024 alone, total IC3-reported cybercrime losses reached $16.6 billion, with BEC ranking as the second-costliest crime type behind investment fraud. BEC specifically caused $2.7–2.9 billion in losses across 21,000+ reported incidents in 2024, according to analyses by Astra Security and Proofpoint. Phishing and spoofing remained the number-one reported cybercrime with 193,407 incidents in 2024, underscoring that email-based attacks dominate the threat landscape.
The average requested wire transfer in BEC attacks continues to escalate year over year, with attackers leveraging increasingly sophisticated impersonation techniques enabled by harvested email addresses. Adversaries don't just collect emails , they derive organizational email patterns from employee names ([email protected]), identify high-value targets like CFOs and VP-level executives, and build dossiers that enable convincing social engineering. The email address is not merely contact information; it is the skeleton key that unlocks phishing campaigns, credential harvesting, malware delivery, and financial fraud at unprecedented scale.
Defenders must recognize that every publicly exposed email address is a potential attack vector. Organizations that fail to audit and restrict their email exposure are effectively handing adversaries the building blocks for targeted campaigns. From CISA advisories on phishing and ransomware to FBI PSA alerts on BEC tactics, every major cybersecurity authority emphasizes that email address hygiene is a critical first line of defense against the most costly cyber threats facing enterprises today.
Section 03
Key Terms & Concepts
Understanding the technical foundation and real-world implications of email address harvesting as an adversarial technique.
📚 Simple Definition
Email Addresses (T1589.002) is a sub-technique under MITRE ATT&CK's Gather Victim Identity Information tactic, where adversaries systematically collect email addresses of individuals within a target organization. These email addresses are readily available through multiple open-source intelligence (OSINT) channels including corporate websites that list departmental contacts, LinkedIn and professional networking profiles that reveal employee names and organizational email patterns, WHOIS domain registration records that expose administrative and technical contacts, publicly available data breach dumps, and third-party directory services. Once harvested, these emails become the foundation for a wide range of devastating follow-on attacks including mass phishing campaigns designed to harvest credentials, targeted Business Email Compromise (BEC) attacks impersonating executives to initiate fraudulent wire transfers, spear-phishing campaigns tailored to specific individuals using gathered context, and malware delivery via weaponized attachments or malicious links. Adversaries can also algorithmically derive email addresses from employee names by testing common organizational naming conventions such as [email protected], [email protected], or [email protected], rapidly expanding their target list without requiring any direct exposure of those specific addresses.
🌟 Everyday Analogy
Think of an email address like a phone number , it's your direct line to a specific person within an organization. If someone were to compile a complete phone book listing every employee's number at a company, they could call anyone directly and pretend to be anyone they want , the CEO requesting an urgent wire transfer, the IT department asking for a password reset, or HR announcing a new benefits enrollment portal that's actually a credential harvesting site. That's exactly what email harvesting enables at digital scale: adversaries build a comprehensive "phone book" of employee email addresses, then weaponize it by sending perfectly crafted fake messages that appear to come from trusted internal sources. The attacker doesn't need to hack anything initially , they simply collect information that's already public, combine it with social engineering, and exploit the inherent trust humans place in familiar-looking email senders and organizational communication patterns. Just as you'd think twice before giving out your personal phone number to strangers, organizations must think carefully about which email addresses they make publicly accessible, because each one represents a potential entry point for a socially engineered attack that could cost millions.
Section 04
Real-World Scenario
How a single harvested email address enabled a $1.8 million Business Email Compromise attack.
AT
Angela Torres
VP of Finance at Meridian Manufacturing , a mid-sized industrial company with 850 employees across 12 facilities. Angela oversees all financial operations including accounts payable, wire transfers, and vendor payments.
❌ Before: The Attack
Meridian Manufacturing's corporate website listed all department heads' personal email addresses publicly on the "Leadership Team" and "Contact Us" pages , including Angela's address, [email protected]. Their domain's WHOIS records displayed administrative and technical contact emails tied to the finance department. Employee LinkedIn profiles followed a predictable and easily discoverable email pattern: [email protected]. Using only open-source intelligence, a threat actor compiled a comprehensive list of over 200 employee email addresses, identifying high-value targets by job title and seniority. The attacker then launched a sophisticated BEC attack impersonating Angela herself , registering a lookalike domain (meridian-mfg.com with a hyphen) and sending an urgent, professionally worded email to the CFO requesting an immediate $1.8 million wire transfer to a "new supplier" account in Hong Kong. The email appeared to come from Angela's address, referenced ongoing vendor negotiations, and conveyed appropriate urgency. The CFO, recognizing Angela's name, email format, and the context of supplier payments, complied without verification through out-of-band channels. The $1.8 million was transferred to a Hong Kong shell company account and was irrecoverable within hours , fragmented across multiple international transfers designed to obscure the money trail. The entire operation relied on nothing more than a single publicly exposed email address and the predictable naming convention that allowed the attacker to identify and impersonate the right person.
✅ After: The Recovery
Following the devastating BEC loss, Angela Torres led a comprehensive security overhaul of Meridian's email exposure and financial transaction controls. She immediately removed all personal employee email addresses from the public-facing corporate website, replacing them with generic role-based aliases ([email protected], [email protected]) that route through a filtered ticketing system. She implemented DMARC (Domain-based Message Authentication, Reporting, and Conformance) at enforcement policy level, along with DKIM (DomainKeys Identified Mail) and SPF (Sender Policy Framework) to cryptographically verify legitimate email sources and reject spoofed messages. Angela established mandatory out-of-band verification for all wire transfers exceeding $25,000 , requiring a phone call to a pre-registered number using a known voice to confirm every transaction. She deployed mandatory BEC awareness training for all finance team members, with quarterly simulated phishing exercises tailored to reflect real-world BEC scenarios. Finally, Angela subscribed to domain monitoring services that provide real-time alerts whenever lookalike domains are registered (e.g., meridian-mfg.com, meridianmfg.net), enabling proactive takedown requests before attackers can use them in campaigns. These combined measures reduced Meridian's email-based attack surface by over 90% and established multiple verification layers that would prevent a similar attack from succeeding.
Section 05
Step-by-Step Defense Guide
Seven actionable steps to reduce your organization's email-based attack surface and protect against BEC, phishing, and spear-phishing campaigns.
1
Audit Public Email Exposure
Conduct a comprehensive audit of every location where your organization's email addresses appear publicly. Search your corporate website, subsidiary sites, press releases, PDF documents, social media profiles, LinkedIn company page, WHOIS records for all registered domains, third-party directories (ZoomInfo, Crunchbase, Yellow Pages), and any data broker listings. Document every email address found, noting its exposure context and the sensitivity of the role it's associated with. Use automated OSINT tools to discover email addresses you may not realize are exposed. Prioritize removal of addresses belonging to executives, finance team members, IT administrators, and anyone with wire transfer authority. This audit should be repeated quarterly as new exposures frequently appear through employee social media activity, conference speaker listings, and third-party publications.
2
Implement Email Authentication (DMARC/DKIM/SPF)
Deploy the three pillars of email authentication to prevent domain spoofing and impersonation attacks. SPF (Sender Policy Framework) publishes a DNS record listing all authorized mail servers for your domain. DKIM (DomainKeys Identified Mail) adds cryptographic signatures to outgoing emails, allowing recipients to verify messages haven't been tampered with in transit. DMARC (Domain-based Message Authentication, Reporting, and Conformance) ties SPF and DKIM together with a policy that tells receiving servers what to do when authentication fails , set this to "p=reject" to block unauthenticated emails claiming to be from your domain. DMARC also provides aggregate and forensic reports that alert you to spoofing attempts targeting your organization. Start with DMARC monitoring (p=none) to baseline your email traffic, then progress to enforcement (p=reject) once you've identified and authorized all legitimate email senders.
3
Remove Personal Emails from Public-Facing Assets
Replace all individual employee email addresses on public-facing websites with generic role-based aliases (info@, support@, sales@) that route through filtered helpdesk or ticketing systems. Update WHOIS records to use domain privacy services that shield administrative contacts. Remove personal emails from LinkedIn profiles or restrict visibility to connections only. Audit all published documents (annual reports, whitepapers, case studies, marketing materials) for embedded email addresses. Implement a corporate policy requiring employees to use generic contact forms rather than listing personal addresses publicly. Consider using email aliases that forward to actual addresses but can be rotated if compromised. For executives and high-value targets, provide separate "public" and "internal" email addresses to compartmentalize risk.
4
Deploy Advanced Email Threat Protection
Implement a multi-layered email security architecture that goes beyond basic spam filtering. Deploy AI-powered email security platforms (such as Proofpoint, Microsoft Defender for Office 365, or Abnormal Security) that analyze communication patterns, detect anomalous sender behavior, and identify BEC-specific indicators like urgency language, wire transfer requests, and domain impersonation. Enable link rewriting and URL sandboxing to detonate malicious links in isolated environments before they reach users. Deploy attachment sandboxing to analyze files for malware in real time. Configure mailbox intelligence to learn each user's typical communication patterns and flag deviations. Implement header anomaly detection to identify spoofed display names, reply-to mismatches, and lookalike domain registrations. Layer these capabilities with your existing secure email gateway for defense-in-depth protection.
5
Establish Financial Transaction Verification Protocols
Create and enforce mandatory out-of-band verification procedures for all financial transactions, especially wire transfers, ACH payments, and changes to vendor banking information. Require a phone call to a pre-registered, independently verified phone number (not a number provided in the email requesting the transfer) for any payment exceeding a defined threshold. Implement dual-authorization requirements for large transactions, ensuring at least two authorized signatories must approve any wire transfer above $25,000. Establish a mandatory cooling-off period (minimum 24 hours) for new vendor payment setup and large transfers to allow additional scrutiny. Create a simple callback verification form that includes the vendor's known contact information, not the contact details from the payment request email. Train finance teams to treat any deviation from established payment procedures as a potential BEC indicator, regardless of the perceived urgency or seniority of the requester.
6
Train Employees on Email-Based Attacks
Implement a comprehensive security awareness training program specifically focused on email-based threats including phishing, spear-phishing, BEC, and social engineering. Conduct monthly simulated phishing exercises that reflect current real-world attack patterns, including CEO impersonation, HR-themed lures, IT support scams, and vendor payment fraud. Use training content that demonstrates specific BEC indicators such as pressure tactics, unusual timing, requests for secrecy, deviations from normal communication channels, and mismatched sender domains. Provide immediate, contextual feedback when employees interact with simulated phishing emails. Track metrics including click rates, reporting rates, and time-to-report, and use these to measure program effectiveness over time. Ensure training is role-specific , finance teams need focused BEC training, IT staff need credential harvesting awareness, and all employees need foundational phishing recognition skills. Build a culture where reporting suspicious emails is rewarded, not punished.
7
Monitor for Lookalike Domains and Spoofed Emails
Subscribe to domain monitoring services that provide real-time alerts whenever new domains are registered containing your company name, trademarks, or executive names (e.g., meridian-mfg.com, meridianmfg-security.com, angela-torres.com). Implement DNS monitoring to detect unauthorized changes to your own domain records that could facilitate email interception. Deploy DMARC reporting tools to continuously analyze authentication failures across the global email ecosystem, identifying ongoing spoofing campaigns targeting your brand. Configure your email security platform to flag incoming emails from newly registered domains or domains with similar character sequences to your organization's domain (homoglyph attacks using characters like rn for m, 0 for o, or unicode lookalikes). Establish a rapid response process for takedown requests when lookalike domains are identified, including relationships with domain registrars and hosting providers. Integrate threat intelligence feeds that provide alerts on your organization's email addresses appearing in data breaches, paste sites, or dark web forums.
Section 06
Common Mistakes & Best Practices
Avoid these critical errors and adopt proven defenses to protect your organization from email-based reconnaissance and attacks.
❌ Common Mistakes
Publishing executive email addresses on company websites. Many organizations still list CEO, CFO, and VP email addresses on their "Leadership" or "Contact" pages, providing adversaries with high-value targets for BEC attacks. Every publicly listed executive email is a loaded weapon handed to attackers.
Leaving DMARC policy at "none" or not implementing it at all. A DMARC policy set to p=none means your domain provides zero protection against spoofing , receiving servers will deliver unauthenticated emails claiming to be from your organization without any rejection or quarantine.
Using predictable email naming conventions without protecting the directory. When organizations use consistent patterns like [email protected] and make the employee directory accessible, attackers can derive every employee's email from a list of names, instantly creating a complete target list.
Allowing wire transfers based solely on email authorization. Any financial transaction approved through email alone , without out-of-band verification via phone call or in-person confirmation , is vulnerable to BEC. Attackers specifically target organizations with weak financial verification controls.
Ignoring WHOIS exposure and third-party data broker listings. WHOIS records for your domains may expose administrative and technical contact emails to anyone performing a simple lookup. Data brokers like ZoomInfo, Apollo, and Hunter.io aggregate and sell employee email lists, further expanding your attack surface.
✅ Best Practices
Replace personal emails with role-based aliases on all public assets. Use info@, support@, and sales@ addresses routed through ticketing systems instead of listing individual employee addresses. This eliminates direct targeting while maintaining legitimate customer communication channels.
Enforce DMARC at p=reject with DKIM and SPF properly configured. Full email authentication enforcement prevents domain spoofing and ensures that only authenticated messages from your organization reach recipients' inboxes. Monitor DMARC reports weekly for spoofing attempts.
Mandate out-of-band verification for all financial transactions. Require phone callback to a pre-registered number for any wire transfer or payment change request. This single control has prevented billions in BEC losses and is recommended by the FBI, CISA, and every major financial institution.
Subscribe to domain monitoring for lookalike registrations. Automated monitoring services alert you immediately when domains similar to yours are registered (meridian-mfg.com, meridianmfg.net), enabling rapid takedown before attackers can use them in phishing or BEC campaigns.
Conduct quarterly OSINT audits of your email exposure footprint. Regularly search for your organization's email addresses across the web, data brokers, social media, and breach databases. Each audit should produce a report of new exposures requiring remediation, tracked over time to measure improvement.
Section 07
Red Team vs Blue Team View
Understanding email address harvesting from both adversarial and defensive perspectives.
🔴 Red Team Perspective
Attacker Mindset , Offensive Operations
- Harvest email addresses from target website contact pages, press releases, and publicly listed team directories using automated scraping tools and manual OSINT collection methodologies.
- Query WHOIS records for all domains owned by the target organization, extracting administrative, technical, and billing contact emails that reveal infrastructure owners and decision-makers.
- Enumerate LinkedIn and professional networking platforms to build a complete organizational chart with employee names, titles, departments, and reporting relationships for targeted spear-phishing.
- Derive email addresses algorithmically by testing common naming conventions (firstname.lastname, flastname, firstnamelastname) against the identified domain using email verification tools and SMTP probing.
- Cross-reference harvested emails against known data breach databases (Have I Been Pwned, BreachDirectory) to identify previously compromised credentials that enable credential stuffing and initial access.
- Prioritize high-value targets including C-suite executives, finance team members with wire transfer authority, IT administrators with privileged access, and HR personnel who can facilitate follow-on attacks.
- Use the compiled email list to craft personalized phishing lures, register lookalike domains for BEC campaigns, and build convincing social engineering scenarios tailored to each target's role and organizational context.
🔵 Blue Team Perspective
Defender Mindset , Defensive Operations
- Conduct regular OSINT assessments to discover and catalog every publicly exposed email address associated with the organization, treating each as a potential attack vector requiring remediation or monitoring.
- Implement comprehensive email authentication (DMARC p=reject, DKIM, SPF) to prevent domain spoofing and receive forensic reports about authentication failures that indicate active spoofing campaigns targeting the brand.
- Deploy AI-powered email security platforms that analyze communication patterns, detect BEC-specific indicators (urgency, financial requests, vendor impersonation), and quarantine suspicious messages before they reach end users.
- Establish and enforce mandatory out-of-band verification protocols for financial transactions, ensuring no wire transfer or payment change is processed based solely on email communication regardless of the perceived sender.
- Monitor DMARC aggregate and forensic reports continuously for unauthorized senders attempting to spoof organizational domains, and track trends over time to identify targeted campaigns against the organization.
- Implement domain monitoring services that alert on lookalike domain registrations containing company trademarks, executive names, or character substitutions designed to deceive employees and external partners.
- Run regular phishing simulation exercises tailored to BEC and spear-phishing scenarios, tracking metrics to measure awareness improvement and identify departments requiring additional focused training.
Section 08
Threat Hunter's Eye
Detection queries, indicators of compromise, and hunting strategies for identifying email address harvesting and related attack activity.
Detection Queries
Monitor email gateway logs for authentication failures from external IPs attempting to verify harvested email addresses via SMTP VRFY or RCPT TO enumeration. Track DMARC forensic reports (ruf) for spoofed sender domains and analyze aggregate reports (rua) for authentication failure patterns. Query proxy logs for connections to known data broker services (Hunter.io, Snov.io, Apollo) that indicate active email harvesting against your organization. Search email logs for messages with mismatched Reply-To and From headers, a classic indicator of BEC preparation. Monitor DNS query logs for lookups of recently registered domains containing your company name or executive names, which often precede BEC campaigns using the harvested email intelligence.
index=email_gateway (authentication_fail="true") OR (dmarc_fail="true") | stats count by sender_domain, recipient
Key Indicators of Compromise
Watch for spikes in authentication failure rates on your mail servers that could indicate an adversary probing your email directory for valid addresses. Monitor for incoming emails from domains registered within the past 30 days, especially those containing typosquatting variations of your domain. Track employee email addresses appearing in fresh data breach dumps or paste sites (monitor Have I Been Pwned API and dark web intelligence feeds). Look for unusual volumes of out-of-office replies to external senders, which attackers use to confirm active email addresses and gather organizational intelligence. Monitor for emails with display name spoofing where the visible sender name matches an internal employee but the underlying email address belongs to an external domain.
index=proxy domain IN ("hunter.io","snov.io","apollo.io","zoominfo.com") src_ip!=internal_range
Hunting Strategy
Adopt a hypothesis-driven hunting approach: assume adversaries have already harvested your email addresses and hunt for evidence of that intelligence being weaponized. Start by identifying all emails sent to finance team members that contain financial terminology, urgency indicators, or vendor-related language , then cross-reference sender domains against known BEC patterns. Hunt for newly registered domains using passive DNS databases (VirusTotal, SecurityTrails) that contain your company name or common misspellings. Correlate DMARC failure data with geographic anomalies , spoofing attempts from countries where your organization has no business presence are high-priority indicators. Establish a baseline of normal email communication volumes and flag statistically significant deviations, especially sudden increases in external emails targeting specific departments during off-hours, which correlates with active BEC campaigns.
index=dns newly_registered=true domain="*yourcompany*" | table domain, registrar, created, name_servers
Section 09
Continue Exploring
Master the Full Reconnaissance Kill Chain
Email address harvesting is one piece of the adversary's identity collection puzzle. Explore the parent technique and sibling sub-techniques to understand the complete reconnaissance methodology and build comprehensive defenses across all identity gathering vectors.
DONATE · SUPPORT
ROOT::DONATE
- February 13, 2026
- No Comments