🎣 #PacketHunters – Exposure surface mapping: how much of your company is visible in 20 minutes?

By /

So, before a single phishing email is sent, the damage is already done, and it all starts with your Google account.

Or LinkedIn. GitHub, Pastebin, Shodan, your careers page and your SPF record.
Phishing success is rarely about persuasion alone. It’s about context – and context is built from exposure.

So let’s do something useful: let’s map what’s publicly visible about a company in 20 minutes (ethically, legally, using open sources only, no exploits, no intrusion, just pure OSINT ).

Step 1: employee enumeration via LinkedIn

We are not bypassing controls or automating login, am just using publicly accessible search result.
Example approach (high-level and compliant with platform terms):


from urllib.parse import quote
query = 'site:linkedin.com/in "Acme Corp" "@acmecorp.com"'
url = f"https://www.bing.com/search?q={quote(query)}"

for r in results[:10]:
    h2 = r.find("h2")
    if h2:  # prevent NoneType crash
        print(h2.text)

headers = {
    "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64)",
    "Accept-Language": "en-US,en;q=0.9"
}

What does this give us?

  • employee names
  • their roles (IT admin, HR manager, finance officer)
  • seniority level
  • also technologies mentioned in profiles

That’s targeting data.
Now imagine combining that with breach corpus data from past leaks, and suddenly attackers have name + role + email pattern.
Great combo!

Step 2: email pattern inference

Most companies follow predictable structures, mostly because they have many emplyoees and – trust me – it’s also vanity and recognissance.

Using just 3/5 confirmed emails from public documents or data leaks, you can infer the pattern.
Let’s see:

import re

def guess_email_pattern(name, domain):
    first, last = name.lower().split()
    patterns = [
        f"{first}.{last}@{domain}",
        f"{first[0]}.{last}@{domain}",
        f"{first}{last}@{domain}"
    ]
    return patterns

print(guess_email_pattern("John Doe", "acmecorp.com"))

No brute force, it’s just probability; a great close angle in accuracy – and phishing doesn’t require 100% accuracy. It requires “good enough” (I could also quote this, but.. ok, if you know you know 😎)

Step 3: infrastructure fingerprinting via Shodan

Shodan is not boogie wonderland, it’s a search engine for exposed services.
So, have your query examples:

org:"Acme Corp"
ssl:"acmecorp.com"
hostname:"vpn.acmecorp.com"

What are we looking for:

  • exposed VPN portals
  • outdated mail gateways
  • OWA login pages
  • Citrix instances
  • misconfigured SMTP banners (there still are a lot!)

Each of these becomes narrative fuel for spear phishing:

Your VPN certificate expires today.
Citrix access reset required.
New Microsoft 365 login detected.

Context = credibility.
That’s the same effort we put into our awareness courses, so bear in mind we’re always up to date with threat landscapes.

Step 4: GitHub leakage

Developers overshare – please do not hesitate to stop me on this, but.. hey, not maliciously but habitually!
See these search queries:

"@acmecorp.com" filename:.env
"acmecorp" password
"acmecorp.com" smtp

Even without exposed secrets, what we can learn:

  • internal project names
  • dev stack
  • cloud provider
  • third-party vendors

A fake AWS alert hits harder if the company actually uses AWS.
Credibility. Credibility. Credibility.

What I’ve found in 20 minutes (typical mid-size org)

In a real exposure mapping exercise for a 300-person EU company, I identified:

  • 127 employee names + roles (almost half, hu!)
  • confirmed email format
  • public VPN endpoint
  • O365 tenant ID
  • 2 internal project names
  • HR manager active on LinkedIn daily (flexing fishing, I mean real fish with lens and water!)

No intrusion and no alerts triggered.
Just EX-PO-SU-RE.

Defensive move?

Before you simulate phishing, map exposure.
Here are 4 questions to answer:

  • can someone infer your email pattern in under 10 minutes?
  • are your critical roles publicly identifiable?
  • are your remote access portals indexed?
  • does your leadership overshare on social platforms?

Phishing simulations without exposure analysis are incomplete.
Totally useless!

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top