OSINT Tool Tuesday - Emails, Breach Data, Office 365, and Bangs
3 min read

OSINT Tool Tuesday - Emails, Breach Data, Office 365, and Bangs

OSINT Tool Tuesday - Emails, Breach Data, Office 365, and Bangs

Another week, another set of OSINT tools. This week we'll be looking at tools for OSINT investigations including emails, social media, breach data, Office 365, and Bangs! The goal is to expand your mindset on what's possible using tools, increase your efficiency, and amplify your outcomes. Let's get started.


Profil3r is an OSINT tool that allows you to find potential profiles of a person using alternate name enumeration as well as their emails. Once emails are found, Profil3r will check to see if they are part of a breach.

Profil3r sort of combines 3 processes I was doing myself. It functions sort of the way that LinkedIn2Username does but the breach data check sort of serves like a free Hunter alternative. Although not all valid emails are breached, most old ones are at this point. It's pretty relieving to have this workflow automated.

OSINT tool that allows you to find a person’s accounts and emails + breached emails - Rog3rSm1th/Profil3r


Nixintel tweeted about a new Python script he put together that checks if a domain has a Microsoft Office 365 instance or not. Additionally, sometimes it returns additional details about the Office account type and status.

There are 3 possible results you will see from o365chk:

Unknown = No O365 instance for that domain
Federated = O365 is federated
Managed = O365 is managed directly by Microsoft

Here is a sample response checking nytimes.com:

As you can see, the New York Times has an Office 365 account directly managed by Microsoft.

Fascinating tool. It's very similar to a tool I covered two weeks ago called xeuledoc. If you're doing a domain-specific investigation or building out a network footprint, this could be a valuable addition. I'd love to see Nixintel make this a Maltego transform.

Simple Python tool to check if there is an Office 365 instance linked to a domain. - nixintel/o365chk

Facebook !Bangs

The final tool this week is rather simple, but very effective. DuckDuckGo has been expanding its !bangs to cover querying multiple aspects of certain websites. While looking into the DuckDuckGo API, I noticed a few Facebook !bangs that I hadn't seen before.

The Facebook Lite !bang will query the mbasic version of Facebook for you. Simply put !fblite <query> and it'll pull up the mbasic search page.

The Facebook over TOR !bang will take you straight to the Onion version of Facebook if you're using DuckDuckGo on Tor. Search for !fbonion <query> to open your Facebook search in Tor.

The Facebook User Page !bang will serve as a username check for a specific person on Facebook. Search for !@fb <query> to check if a Facebook profile exists or not.

If you're a regular user of DuckDuckGo, these quick shortcuts can save you a ton of time when doing OSINT investigations on Facebook.

DuckDuckGo !Bang
Search thousands of sites directly from DuckDuckGo.

Remember OSINT != tools. Tools help you plan and collect data, but the end result of that tool is not OSINT. You have to analyze, receive feedback, refine, and produce a final, actionable product of value before you can call it intelligence.

Thanks for reading. If you enjoyed this post, make sure to subscribe. A new one just like this will be posted every Tuesday at 6:00 PM UTC-5:00.

Enjoying these posts? Subscribe for more