Post cover image

June 10, 2026

They Already Have Your Email -You Just Don’t Know It Yet

You haven’t clicked anything suspicious. You haven’t replied to a sketchy message. You haven’t even been active online today.

mrwhite18

4 min read

But somewhere, a pentester — or worse, an attacker — just typed your company's domain into a search box. And within thirty seconds, they have your email address, your job title, and a pretty good guess at who your manager is.

This isn't a movie scene. This is Phase 1 of almost every real-world red team engagement. And the tools that make it possible are completely free, completely legal, and shockingly accurate.

Let me walk you through how it works.

It Starts With Just a Domain

Imagine a penetration tester gets hired to assess a company. No insider knowledge. No leaked credentials. Just a company name and a website.

The first thing they do isn't scan for open ports. It isn't running Nmap. It's something far quieter — they start harvesting emails. Because emails are identity. And identity is the gateway to everything.

The domain goes into Hunter.io first.

Hunter is the tool most pentesters reach for when they want a quick picture of who works at a company. Feed it a domain and it returns a list of email addresses it has indexed from public sources — websites, PDFs, press releases, GitHub repos, anywhere an email has ever appeared publicly. More importantly, it shows you the patternfirstname.lastname@company.com, or maybe f.lastname@, or just firstname@. That pattern alone is worth gold. Once you know how a company formats its emails, you can guess the address of anyone in the org — the CEO, the CFO, the IT admin who has domain admin rights.

Hunter even gives you a confidence score. Some emails are verified. Some are inferred. The tester notes both.

When Hunter Isn't Enough

Smaller companies, startups, organisations that haven't been crawled heavily — Hunter sometimes comes back thin. That's when Phonebook.cz enters the picture.

Phonebook is part of the IntelligenceX ecosystem, and it pulls from a different well — breach data, passive DNS, historical records. It's not just finding emails that are publicly posted. It's finding emails that were public at some point, or that leaked in a data breach years ago. Old email addresses still matter. People reuse passwords. Old accounts sometimes still work. A dormant address on a legacy system can be the quietest door into a network.

The tester cross-references both lists. Duplicates get flagged as high-confidence targets. New entries get added to the growing spreadsheet.

Building the Full Picture With Apollo

Apollo.io is technically a sales intelligence platform. But in the hands of a red teamer, it's something else entirely.

Apollo carries a database of over 50 million professional contacts. It doesn't just return an email — it returns a job title, a LinkedIn profile, a company hierarchy. Now the tester isn't just looking at a list of addresses. They're looking at an org chart. They can see who reports to whom, who's in finance, who's in IT, who was recently promoted and might be eager to impress and therefore more likely to click something without thinking twice.

This is where passive recon starts shaping the spear phishing strategy. The email isn't going to say "click here." It's going to say "Hi Sarah, following up on the Q3 budget approval you mentioned to James last week." Because the tester now knows Sarah, James, and the rough shape of their working relationship — all from publicly available data.

The Step Most People Skip — Verification

Here's where a lot of people make a mistake. They collect a hundred email addresses and assume they're all valid. They're not.

People leave companies. Domains change. Email formats get updated after rebranding. Sending a phishing simulation — or in a real attack scenario, a malware payload — to a dead inbox is wasted effort, and worse, it generates noise that can alert defenders.

Email Hippo solves this quietly. You feed it a list of addresses and it runs SMTP-level checks — essentially knocking on the door of each mailbox without actually sending anything. It tells you which ones exist, which ones are dead, and which ones are catch-alls. The tester trims the list. What's left is a clean, verified, high-confidence target set.

And alongside Email Hippo, there's Clearbit Connect — a Chrome extension that lives inside Gmail and surfaces contact information and LinkedIn profiles for anyone at a given domain. It's frictionless and fast, useful for filling in gaps and confirming identities when you already have a partial picture.

What the Attacker Now Has — From a Single Domain Name

Stop and think about what just happened. The tester started with nothing but a company website. No credentials. No insider access. No hacking in the traditional sense.

They now have:

  • A verified list of employee email addresses
  • The email format pattern for the entire organisation
  • Job titles and reporting structures
  • Historical email addresses from old breaches
  • A shortlist of high-value targets — people in finance, IT, or leadership

All of this is available to anyone with an internet connection and thirty minutes to spare. None of it required breaking a single law. It's all passive. It's all public. And it's all incredibly useful to someone who wants to get inside your organisation.

The Defender's Side of This

So what do you do about it?

The first move is awareness. Register your organisation's domains on HaveIBeenPwned and set up alerts. Know when your employees' emails appear in breach datasets before an attacker finds out.

Train your people — especially anyone in finance, IT, or executive roles — to be sceptical of emails that feel personalised and urgent. Spear phishing works because it doesn't look like phishing. It looks like a familiar colleague with a reasonable request.

On the technical side, review what your own domain is leaking. Search your company on Hunter.io right now. Whatever you see, an attacker sees too. Old addresses that shouldn't exist anymore? Get them cleaned up or at least monitored.

And invest in security awareness that goes beyond generic "don't click links" training. People need to understand how attackers build context before the attack even begins. The phishing email is the last step — not the first.

Why This Matters Beyond the Pentesting Lab

In the real-world red team engagements, email harvesting is almost always Phase 1. It's unglamorous. There's no shell popping, no CVE being exploited. But it's the foundation that everything else is built on.

The most sophisticated intrusions in recent memory didn't start with a zero-day. They started with a well-crafted email sent to the right person at the right time — because the attacker spent time understanding who that person was before ever sending a single packet.

The tools exist. The data is out there. The question is whether your organisation's defenders understand what the attackers already know.