ETS
Home
Created by Claudiu Tabac - © 2026
This material is open for educational and research use. Commercial use without explicit permission from the author is not allowed.
BP-004 Email Pattern Harvesting
What This Breach Pattern Is
Email Pattern Harvesting is the systematic collection and validation of an organization's email and username structure. Attackers exploit public sources including LinkedIn profiles, GitHub commits, leaked databases, marketing materials, helpdesk portals, open contact forms, password reset pages, and conference speaker lists to map naming conventions.
Once attackers understand your patterns—such as firstname.lastname, f.lastname, or [email protected]—they can generate thousands of valid identity candidates. This reconnaissance drastically increases the success rate of password spraying, phishing campaigns, MFA fatigue attacks, and credential-stuffing operations, making it a critical precursor to broader identity compromise.
Common Sources
  • Public websites
  • LinkedIn profiles
  • GitHub commits
  • Leaked databases
  • Marketing materials
  • Helpdesk portals
  • Password reset pages
  • Conference listings
Attacker Objectives
Identity Mapping
Map organization username and email formats to understand naming conventions across departments and user types
User Differentiation
Distinguish contractors from employees, identify executive accounts, and locate privileged user patterns
Bulk Generation
Generate comprehensive UPN lists for spraying attacks and identify stale or legacy naming formats
Service Discovery
Enumerate service account naming patterns and detect shared mailbox naming logic for lateral movement

This pattern bridges Reconnaissance → Enumeration → Credential Acquisition, making it a foundational step in identity-based attacks.
Misconfigurations That Enable BP-004
Organizations inadvertently expose email patterns through common identity infrastructure misconfigurations. Understanding these weaknesses is essential for hardening your defensive posture against reconnaissance activities.
1
MC-001 — Publicly Exposed User Identifiers
Password reset pages and login portals reveal email structure through error messages and autocomplete behavior, allowing attackers to validate patterns without authentication.
2
MC-075 — Weak Network Segmentation
Open identity endpoints lack proper segmentation, leaking naming behavior via verbose error messages and timing differences in responses.
3
MC-146 — Inconsistent Identity Trust Boundaries
Federation endpoints expose UPN patterns indirectly through SAML responses, OAuth flows, and trust relationship metadata.
Detection & Identity Attack Chain
Detection Signals
DL-009 — Repeated Failed Lookups
Detects probes attempting to validate email and UPN guesses against identity endpoints
DL-010 — High-Volume Naming Probes
Identifies attempts to test multiple naming formats at scale using automated tools
DL-001 — External Enumeration Behavior
Captures bulk harvesting automation originating from external threat actors
Attack Chain Mapping
1
Stage 1
Reconnaissance
2
Stage 2
Identity Enumeration
3
Stage 3
Credential Acquisition
Email pattern harvesting is a critical precursor step that amplifies the effectiveness of spraying and phishing campaigns.
Threat Actors Using This Pattern
Multiple sophisticated threat actors leverage email pattern harvesting as a foundational reconnaissance technique. Understanding their tactics helps prioritize defensive investments.
APT28 (ICTAM-002)
Large-scale UPN harvesting operations targeting government and enterprise organizations for credential spraying campaigns
Hive (ICTAM-015)
Building bulk identity lists for password spraying attacks that precede ransomware deployment
MuddyWater (ICTAM-007)
Sophisticated phishing list generation using harvested patterns to increase campaign effectiveness
Cloud Identity Drifter (ICTAM-021)
Opportunistic identity mapping across cloud tenants for multi-stage attacks
Executive Threat Storylines
ETS-001 — Cloud Tenant Discovery → Credential Attack Chain
ETS-003 — Machine Token Theft → Cloud Escalation
About
Created by Claudiu Tabac — © 2026
This framework is open for educational and research use. Commercial use without explicit permission from the author is not allowed.