When most organizations think about phishing attacks, they focus on the email: the malicious link, the fake login page, the compromised account. In reality, the attack often begins weeks or even months earlier. Before an attacker sends a single message, they typically conduct reconnaissance.
They identify employees, map business relationships, study technology platforms, and gather publicly available information that can later be used to build trust and credibility.
The phishing email is simply the final stage of a much larger intelligence-gathering process. The uncomfortable reality is that many organizations unknowingly provide attackers with most of the information they need.
Open-source intelligence is not hacking
Open-Source Intelligence, commonly referred to as OSINT, involves collecting and analysing information from publicly available sources. Investigators use OSINT to understand people, organizations, relationships, and events.
Threat actors use many of the same techniques. Importantly, this process does not require hacking. No systems need to be compromised. No passwords need to be stolen.
Much of the information required to build a convincing phishing campaign is often freely available online. The challenge is not access. The challenge is connecting the pieces.
Building a target profile
Imagine an attacker targeting a mid-sized company. Within a relatively short period, they may be able to identify:
- Key executives
- Department managers
- Sales personnel
- Finance personnel
- Human resources staff
- IT administrators
- External consultants
- Major customers
- Strategic suppliers
None of this information may be sensitive on its own. Together, however, it creates a detailed picture of how the organization operates. This information allows attackers to select the most effective targets and develop believable attack scenarios.
The corporate website
- Employee names
- Job titles
- Department structures
- Contact information
- Vendor relationships
- Customer success stories
- Technology partnerships
An attacker reviewing a website can often identify exactly who should receive a particular phishing email. A fake invoice may be sent to accounting. A fake employment application may target human resources. A fake contract review may be directed toward legal staff.
The attack becomes more effective because it aligns with the recipient’s responsibilities.
Professional networking platform
Professional networking sites provide another valuable source of intelligence. Employees frequently publish information about:
- Current roles
- Previous employers
- Certifications
- Technology platforms
- Internal platforms
- Internal projects
- Business achievements
An attacker can use this information to create highly personalized messages.
Consider the difference between: “Please review the attached document.” and “Please review the updated Microsoft 365 migration plan discussed during the cloud modernization project.”
The second message appears far more credible because it references information that may already be publicly available.
Social media and daily operations
Social media platforms provide insight into organizational activities that would otherwise remain unknown. Employees often share:
- Conferences attended
- Customer meetings
- New partnerships
- Product launches
- Business travel
- Team events
These seemingly harmless posts can provide attackers with timing and context. If employees are discussing an upcoming conference, an attacker may distribute fake conference schedules.
If a company announces a new supplier relationship, attackers may impersonate that supplier. The objective is always the same. Create a message that feels expected.
Understanding business relationships
One of the most valuable pieces of intelligence available to attackers is understanding who trusts whom. Modern phishing attacks frequently exploit existing relationships between:
- Customers and vendors
- Employers and employees
- Contractors and clients
- Financial institutions and customers
- Technology providers and clients
The scenario discussed throughout this series is a perfect example. The phishing email appeared to originate from a legitimate customer. The attacker understood that existing trust relationship. Rather than convincing recipients to trust a stranger, they leveraged trust that already existed.
This dramatically increases the likelihood of success.
Technology footprinting
Attackers often seek to identify which technologies an organization uses. Public information may reveal:
- Microsoft 365 deployments
- Cloud providers
- Security products
- Website technologies
- Collaboration platforms
Knowing that an organization uses Microsoft 365 allows attackers to create realistic OneDrive, SharePoint, Teams, or Outlook-themed phishing campaigns. Knowing which technologies are present removes guesswork and improves credibility.
The more accurately an attacker can imitate normal business operations, the more effective the attack becomes.
The value of email intelligence
Many organizations use predictable email formats.
Examples include:
These patterns are often easy to identify.
Once an attacker understands the format, they can build lists of potential targets and create highly targeted phishing campaigns. Combined with publicly available employee information, this creates a powerful targeting capability.
The vendor and customer problem
Organizations often focus their security efforts inward. Unfortunately, attackers rarely limit themselves to internal employees. Customers and vendors frequently represent attractive targets because:
- Trust relationships already exist
- Verification processes may be weaker
- Security maturity varies significantly
- Communications are often expected
Why exposure assessment matters
Many organizations are surprised by the amount of information that can be collected about them without accessing a single internal system.
Exposure assessments attempt to answer important questions:
- What information is publicly available?
- Which employees are highly visible?
- What business relationships can be identified?
- Which technologies can be observed?
- What attack scenarios are most plausible?
These assessments allow organizations to view themselves from an attacker’s perspective. The goal is not eliminating public visibility. It’s understanding how information can be combined and weaponized.
A different way to think about security
Traditional security often focuses on protecting internal systems with firewalls, endpoint protection, identity controls. These remain important. However, modern phishing attacks frequently begin outside the organization’s perimeter.
The attacker starts with publicly available information and gradually builds an intelligence picture before launching the attack.
Understanding this process allows organizations to identify risks long before malicious emails appear in employee inboxes.
Where OSINT investigations add value
When organizations experience phishing attacks, they often focus exclusively on the technical indicators. Yet many of the answers exist outside the compromised environment.
Questions worth investigating include:
- Why were these individuals selected?
- Which business relationships were exploited?
- What public information supported the attack?
- Were customers or vendors also targeted?
- Is the campaign part of a larger pattern?
OSINT investigations help answer these questions by examining the intelligence-gathering phase that preceded the attack.
This broader perspective often reveals opportunities to reduce future risk, strengthen vendor security practices, and improve awareness of organizational exposure.
Looking ahead
Attackers invest considerable effort into making phishing emails appear legitimate. The most effective defence is not simply teaching employees what to avoid. It is reducing opportunities for attackers to build convincing stories in the first place.
In the next article, we will shift from understanding the attacker’s perspective to strengthening the defender’s position. We will examine practical measures organizations can implement to reduce the likelihood of successful OneDrive, SharePoint, and Microsoft 365 phishing attacks before they reach employees, customers, and vendors.