From an OSINT perspective, searching for emails can provide a treasure trove of information about your target entity. In this guide, we explore email search methodology for OSINT investigations.
Email is the most used digital medium to exchange data online. As the internet becomes readily accessible to billions of people worldwide, email usage has witnessed a tremendous boost. For instance, by 2025, it is estimated that there will be 376.4 billion emails exchanged per day worldwide.
From an OSINT perspective, searching for emails can provide a treasure trove of information about the target entity, whether individual or corporate. For instance, email can be used to:
- Reveal relationships between users within an organization or between individual users
- Leaked emails may contain valuable information about the target's work and business relationships
- Inspecting phishing emails and their malicious attachments (e.g., malware, MS Office files and PDF documents) may reveal important information about the threat actors sending these malicious campaigns
- OSINT gatherers sometimes need to search where a particular email appears online to support someone in a legal proceeding and for a compliance audit
- Email search can be a useful tool for corporate intelligence; for instance, it can reveal the target corporate hierarchy and discover how it executes its internal operations
- Discover emerging threats by monitoring phishing emails and communications between cybercriminals in the darknet forums; this enhances organizations' threat intelligence capabilities, making them more prepared for cyberattacks
In this guide, I will discuss how to find and verify email addresses. However, before we begin, let me suggest an email search methodology for OSINT investigations.
Email search methodology
A search methodology is your roadmap to plan your OSINT gathering activities. Here is a suggested plan for finding and verifying emails:
Identify your target
Identify the target you want to find emails for, whether it is an individual or an organization. We should write all possible names, usernames, aliases or email addresses we already know about our target.
Suggest usernames for the target email address
If you don’t already have an email address related to your target, then think about what your target may name their email address. For example, what will their username be if you suspect they have a Gmail account? Will they include their name, job title, company, interests and hobbies, known associates or family members, etc?
When you do not have the target email address, then you can use services such as Behind The Name to check alternative meanings of a particular name. For instance, many people use the meaning of their name in other cultures as a name for their email.
We can also use the Werelate service to find name variants.
We can also guess the target email address, especially if the email belongs to a company, by predicting the formatting patterns and common conventions. Here are some online services for predicting email format using a person's first and last name:
You can also use ChatGPT to generate email assumptions of anyone. Just craft your prompt, and it will generate them for you. Ensure that you provide your target's first and last name and the email domain name (see Figure 1).
Figure 1 - Using ChatGPT to guess email address of any person
Use advanced search
Search Google using advanced search operators to find all places where the target email appears online. This step is covered in detail later on.
Search email aggregator sites
Many websites aggregate email addresses from various online sources across the web. These services will list email addresses along with their users and provide links to the same user's alternative emails. Here are three email aggregator services:
Check data breach databases
Data breach databases will display all breached online services where a particular email address appears. This is very useful because it will allow you to find a particular email address's online activities and other social media accounts.
Search Pastebin websites
An email address could be included in a Pastebin website. Here are the most popular Pastebin websites:
You can also use the Google “site” search operator to limit your search for a specific paste bin website:
site:pastebin.com
Check WHOIS
Check WHOIS domain name registration records for domains connected to the target email address.
Search major social media platforms
Search across Facebook, LinkedIn, Instagram, Twitter and other social/professional networks the target uses to link the email address to this account or to discover new connected email addresses.
Verify your findings
Use email verification tools to ensure your found emails are valid.
Email hunting methods
Finding emails, or simply hunting them, is the process of using different search tools and techniques to find email addresses available online. There are several techniques for doing this. The following are the main ones:
Using Google
Google advanced search techniques, also known as Google dorks, are specialized search queries used to return precise information from the Google index database. Dorks can be utilized to find publicly published emails better than Google's basic search. Here are some advanced Google dorks for email search:
info:"example@example.com" | This query provides information about the specified email address.
"username@example.com" | This query searches for the specified email address.
intext:"username@example.com" | This query searches for all webpages containing the specified email address within their text.
intitle:"username@example.com" | This query looks for all webpages where the specified email address is included in their title.
inurl:"username@example.com" | This query searches for all webpages with the specified email address appearing in their URL.
filetype:txt "username@example.com" | This query searches for text files containing the specified email address. We can change the file type to any of the following types: .pdf, .doc, .docx, .xls, .xlsx, .ppt, .pptx or .csv. The list of file types indexable by Google can be found here.
site:authentic8.com "username@example.com" | This query limits the search to the specified website/domain (in this example, authentic8.com) for the email address.
intext:"@authentic8.com" -site:authentic8.com | This query looks for webpages containing email addresses with the domain "authentic8.com" in the text but excludes results from the domain itself.
link:username@example.com | This query finds all webpages that contain a link to the specified email address.
related:username@example.com | This query identifies all webpages related to the specified email address.
intext:"email" OR intext:"contact" OR intext:"reach us" site:authentic8.com -inurl:contact -inurl:about
This query will search all pages within "authentic8.com" containing the word "email," "contact," or "reach us" while excluding pages with "contact" or "about" in the URL.
Finding emails on social media platforms
Many social media users put their email addresses in their bio or mention them somewhere in their account feed — such as in posts, comments, replies or when they mention someone. We can use different techniques to get these emails out of social media platforms.
Manual search
Simply access the target user profile on Facebook, Twitter or any social media site. On Facebook, you can go to the “About” >> “Contact and basic info” sections to see if the user is putting their email. On Twitter, check the bio section of the account.
We can also use ordinary search engines like Google, Yahoo! and Bing to find emails on social media platforms. For example, type:
“FirstName LastName Twitter email” to search for a user email address on Twitter.
Many users put a link to their private or business website on their profile. They may also put links to other social media accounts they have, such as their accounts on Mastodon, YouTube or Instagram (see Figure 2).
Figure 2 - A Twitter account bio section may contain links to other social media accounts in addition to private/business websites of the user.
Use Google dorks
We can also use Google Dorks to find email addresses mentioned on social media platforms:
username@example.com" site:twitter.com | This query searches for the email address on Twitter. We can change the social media platform from Twitter.com to anything we want, such as: Facebook, Instagram or TikTok.
"username@example.com" OR "contact" OR "email" site:twitter.com | I’m expanding the previous search query to include "contact" or "email" terms. As I already said, we can change the social media site to match the platform we want to search within it.
"username@example.com" OR "contact" OR "reach me" OR "get in touch" intitle:"bio" site:facebook.com OR site:twitter.com OR site:instagram.com | This search query will search within three websites: Facebook, Twitter and Instagram.
Use third-party services
You can use third-party services and web browser extensions to facilitate searching for email addresses. Here are the most popular services:
- Hunter (Has a Chrome extension)
- ZoomInfo
- RocketReach
- Slik Prospector (Chrome extension) – Finding emails on LinkedIn
- Email Extractor (Chrome extension) – Automatically extract and save email addresses from webpages
Social media monitoring services
There are online services that monitor and track mentions of specific keywords or phrases, including email addresses in major social media platforms. Here are some popular tools/online services:
- Google alert (see Figure 3): insert the target email address that you want to monitor its mention, and Google will send you an email once it appears somewhere online.
Figure 3 - Google alerts can be used to monitor the web for specific email mentions
- There are numerous social media monitoring services. These online services allow us to search for a particular mention of emails or usernames across various social media platforms. I will not mention them here as most reputable services are paid, and I do not like to recommend a specific solution.
Tools for finding and verifying emails
There are many free tools for email search and verification. Here are the most popular ones:
-
theHarveste: A command line tool used to find names, emails, IPs, subdomains and URLs by using multiple public resources
- Mosint: Another email investigation tool written in Go programming language. It searches for email across wide arrays of online sources and public databases. It can also verify and validate email addresses.
- ViewDNS: This service allows us to find if a domain name provides free email addresses (see Figure 4)
Figure 4 - Check if a domain name provides free email service for users.
- Whoxy: Find registered domain names connected with a specific email address (see Figure 5)
Figure 5 - Find all connected domain names to a particular email address
- ';--have i been pwned?: Find previous breached web accounts associated with a certain email account. This knowledge is necessary because it will reveal the websites an email user has accounts with them.
- Email Header Analyzer from MXTOOLBOX: This service extracts email header information. It is a valuable tool if you have an email that you want to investigate its associated technical information.
- EmailRep: This tool checks the reputation of the provided email address. It achieves this by searching online to check the number of reputable sources where this email appears.
Email searches reveal valuable insights into users' social and business relationships, leaked information, phishing threats, legal support and corporate intelligence. Having a structured email search methodology is vital, beginning with target identification and suggesting potential usernames for email addresses. ChatGPT aids in generating email assumptions, and later, OSINT gatherers can use a plethora of tools, online services and techniques to dig more into their investigation.
