Inbox Intel: How to Use Emails for OSINT

Picture this: a single email address - just a string of characters punctuated by an '@'. Seems simple, doesn't it? But when it comes to OSINT, that humble email address can yield enough intelligence to make Sherlock Holmes jealous!

Every email address tells a story. If you’re a cybersecurity expert tracking down threats, a journalist piecing together an investigation, or a fledgling employer doing background checks, knowing how to use email addresses for OSINT will be key to finding much-needed information. From finding linked social media accounts and breach history to revealing location data and online behaviour, the potential for gathering inbox intelligence is almost endless - if you know where and how to look for it.

‍

What is Email OSINT?

Email OSINT (Open-Source Intelligence) is the process of gathering publicly available data linked to an email address for investigative purposes. This is a crucial tool in cybersecurity, fraud detection, and investigations, allowing analysts to gather vital information just by examining an email’s associations with social media accounts, online services, and data breaches. With our specialised tool, investigators can identify the individual or entity behind an email, track their digital footprint, and assess potential security risks based on the historical breach activities discovered.

At OSINT Industries, our tool is a go-to resource for law enforcement agencies, journalists, government agencies, and non-profit organisations who want to conduct email OSINT investigations. 

You might be wondering ‘Why us’! To break the ice, it’s worth explaining that our OSINT Tool helps extract detailed information tied to an email super fast; intel such as linked social media accounts, account ages names or pseudonyms, partial phone numbers, and any known breach information (thanks to our API access to Have I Been Pwned). We do this instantly, in real-time. Our platform allows investigators to immediately map, with user-friendly graphics, whether a subject email is linked to numerous online services or social profiles, providing information about the person’s online behaviour or preferences with ease.

Verification techniques for email OSINT include using password reset functions on websites like Facebook and Twitter to confirm account existence and associated details. OSINT Industries’ OSINT tool is built upon this principle, but it’s a little more complicated than that (as we’ll explain later).

‍

How Can I Extract Information from Emails?

One of the most effective ways to extract information from emails is on popular search engines like Google. This is known as ‘Google dorking’. By inputting an email address in quotation marks (i.e. "example@email.com"), you can filter results that specifically mention the email you want to find. This simple method can reveal connections such as past forum posts, public documents, or social media mentions tied to the email address. OSINT Industries now features an integrated button that will start a ‘dork’ for you!

Another technique is to use the password reset functionality of popular websites like Facebook, Twitter, or Instagram. By entering an email into the "Forgot Password field, you can confirm whether the email is associated with an account on these platforms. Easy! Some sites might display partial information about the account too, such as usernames or even partial phone numbers, which can offer crucial investigative leads without exposing sensitive data.

Additionally, exploring email headers is another advanced (but useful) manual technique.

Email headers contain metadata such as the IP address of the sender, the mail server used, and the originating domain. By analysing this metadata, you can trace the geographical origin of the email address, confirm if it's from a trusted source, and even identify potentially malicious actors. Tools like online IP lookups and reverse DNS services can then help investigate the email’s route across different servers, adding more colours to your paintbox as you sketch a picture of your subject.

Then there’s another way: user-friendly and automated. Using an OSINT automation tool like OSINT Industries, you can simply input a target email, and sit back and relax as our platform scours over 500 websites to check for any registered accounts. If the person of interest (POI) is signed up on specific platforms like Strava (a running app), Airbnb, Duolingo, or Google Reviews, OSINT Industries will reveal their activity and potentially their location using modules that feed into handy geo- and temporal- focused graphics. This approach not only saves time but broadens your investigation by tapping into a vast range of online services all at once. 

How Much Can I Learn From an Email Address?

An email address can reveal a surprising amount of information, especially when using Open-Source Intelligence (OSINT) tools. Here's a breakdown of what you can find.

Basic Personal Information

The simplest data you can extract from an email is personal details like the owner’s name, location, or even profile pictures. Many services tie personal data to email addresses during the sign-up process, making it possible to track down public-facing profiles. For instance, Google searches with the email in quotation marks (‘dorking’) can often reveal social media accounts, public databases, or websites that the person may have registered with. Public mentions of an email can also be found in forums, newsletters, or blog comments, helping you connect an email to a real individual. With some social media platforms, like Facebook or LinkedIn, you can sometimes directly search on-platform for users based on their email, and identify profiles that include name, work history, and more.

Associated Online Accounts

One of the most valuable things you can learn from an email is the online services it's tied to. By entering the email address into the password recovery forms of popular platforms (such as Facebook, Twitter, or LinkedIn), you can often confirm whether an account exists. While these platforms don't provide full details, they usually display partial information about the account, such as the username or parts of the phone number. By linking an email address to multiple services, you can build a picture of a person’s digital footprint. This process can help verify if your target is active on social networks, professional platforms, or even niche sites like gaming forums, shopping websites, or specific apps like Strava or Airbnb​.

Social Media Presence

With just an email, you can trace a person’s social media presence across platforms. Many social media platforms allow you to search by email to find user profiles. Once you find these profiles, you can investigate their public posts, interactions, friends, and even real-world activities. OSINT investigators can often discover patterns in a person’s behaviour, interests, and connections through this method. More advanced techniques, such as scraping public social media activity tied to an email, can reveal check-ins, events attended, or even location data, especially if the user hasn't taken extra privacy measures. For instance, apps like Strava, which logs running or cycling routes, may expose a person’s physical movement or frequently visited locations.

Domain Ownership

When an email address is linked to a custom domain (i.e.‘name@company.com’), it becomes possible to gather professional data about the email owner. Using a WHOIS lookup, you can access details about the domain registrant, including the registration date, IP address, physical address, and sometimes phone numbers, depending on the privacy settings deployed. This technique is particularly useful when investigating corporate emails or professionals in specific industries. In addition to WHOIS lookups, email addresses tied to companies often appear in press releases, public documents, or employee directories, further revealing the individual’s role within an organisation.

Digital Footprints in Data Breaches

Data breaches are a significant source of information when investigating email addresses. Services like Have I Been Pwned or Dehashed allow you to search if an email has been involved in known breaches. If an email address appears in a data breach, it can reveal additional details such as passwords, linked usernames, and even specific accounts registered under that email. This method helps investigators understand the breadth of the person’s online activity and whether their data has been exposed to malicious actors. 

Fraud Detection and Cybersecurity Risks

Cybersecurity analysts can extract a wealth of technical information from an email address. Email headers, for instance, contain metadata like the originating IP address, the mail servers used, and timestamps, all of which can help trace the origin of the email. This method is commonly used in fraud detection, as it helps determine if an email has been spoofed or if phishing attempts are being made. By analysing headers and tracking the routes taken by the email across different servers, it's possible to find out the geographic location of the sender and determine whether the email originated from a legitimate source or a malicious actor.

‍

Legal and Ethical Considerations

We’re dealing with the collection, use, and distribution of personal information obtained through email addresses. This means email OSINT, like all other forms of Open-Source Intelligence gathering, raises several important legal and ethical considerations. Here’s an overview of key legal frameworks and ethical principles that govern this practice.

Privacy Laws (GDPR, CCPA)

The General Data Protection Regulation (GDPR) in Europe and the California Consumer Privacy Act (CCPA) in the U.S. are two key privacy laws that regulate the collection and handling of personal data, including email addresses. GDPR, in particular, outlines strict rules on the lawful processing of personal data, which includes obtaining, storing, and using an individual’s email address. According to GDPR, using an email address without explicit consent or a legitimate reason violates the law and could result in hefty fines. Similarly, the CCPA provides California residents with rights over their data, requiring transparency on how it’s collected and used. If an email is used to track personal information without permission, it may violate both of these regulations.

GDPR Article 6 covers lawful bases for data processing, meaning that unless you have consent or a legitimate reason, using emails for investigative purposes may breach privacy rights. In the U.S., the Electronic Communications Privacy Act (ECPA) also provides protections against unauthorised access to email communications​.

Cybercrime Laws (CFAA, Computer Misuse Act)

When engaging in email OSINT, especially advanced techniques like extracting metadata or searching through breaches, it is essential to be aware of cybercrime legislation. In the United States, the Computer Fraud and Abuse Act (CFAA) makes it illegal to access computer systems without authorisation, which can be applied to obtaining email information from restricted databases or using hacking techniques to retrieve additional data.

In the U.K., the Computer Misuse Act of 1990 criminalises unauthorised access to computers, including using tools or tactics to retrieve information from email addresses unlawfully. OSINT practitioners must ensure they don’t cross the line into illegal hacking, as breaching this law can lead to severe legal consequences​.

Ethical Considerations

Beyond legal boundaries, ethical considerations must also be taken into account when performing email OSINT. Even if the information gathered is technically publicly available, using it responsibly is a must. For instance, using an email to identify personal information like physical locations or social connections without a clear, ethical justification could lead to privacy violations or even accusations of stalking accusations. Many OSINT experts advocate for the principle of proportionality, meaning the data collected should be appropriate to the investigation’s purpose and not overly intrusive.

Ethical OSINT practitioners should adhere to the following three tenets:

• Transparency: Making sure that the subject knows or can easily find out how their data is being used.
• Data Minimisation: Only collecting the minimum amount of information necessary for the purpose at hand.
• Responsibility: Avoiding actions that could harm the subject, such as exposing personal or sensitive information to the public unnecessarily.

Email OSINT must be conducted within the framework of privacy and cybercrime laws like GDPR, CCPA, CFAA, and the Computer Misuse Act. Additionally, ethical considerations like transparency, data minimisation, and responsible use are vital to ensure investigations respect individuals’ privacy and rights.