In this article, we elaborate how we managed to identify hidden internal email gateways by relying on various open-source intelligence (OSINT) data sources for our direct email spool attack research. Prerequisites of the Direct Email Spool Attack Normally, direct email spool attacks should not work as the major email security solution vendors advise customers to lock down their local email services and publish network ranges belonging to their service to enable administrators to lock down local email services. Local email servers should only accept emails from the upstream email security solution. Bad actors can circumvent email security solutions by feeding emails directly to the local email server As the diagram shows, the list of requirements to carry out a successful direct email spool attack is relatively short. We only need three things: The hostname of the local email server running behind the email security solution; An email server feeding the emails directly....