Blog: How-Tos

Don’t use corporate email for your personal life

Lee Parkes 09 Apr 2025

TL;DR

  • People use whatever is convenient.
  • Segregation of work and personal matters is a key part of security. Using corporate addresses tramples on this separation.
  • Corporate email addresses should be treated with the same care as sensitive corporate information.
  • Create an Acceptable Use Policy that details what users can and can’t do and include email addresses.
  • Use technical solutions such as blocking email domains (even if they’re from otherwise legitimate sources).

Introduction

If you want to register for a service or platform you need an email address. But what happens if someone uses their corporate address?:

  1. If the third-party service is compromised the corporate email address and that person’s password can be exposed.
  2. A common risk here is password reuse. We’re not good at remembering lots of passwords, so using the same one for work, banking, and other accounts is fairly common.
  3. The format of the corporate email is now known, although formats are guessable.

The what and the how

If a third-party is breached corporate email address users are at risk. Email addresses are useful for all sorts of attacks that could be mounted against an organisation:

Password abuse

Credential stuffing. This is where an attacker tries to use the credentials from a breach against one or more targets.

Password spraying. Sending those juicy purloined credentials across a wide range of targets in the hope that one of them can be accessed.

Brute force attacks. Having a legitimate email address means that an attacker can try and force their way into a system by trying different passwords. They may get lucky and guess a password in a few tries, or they may lock out an account. If they get lucky, they have access into the environment and then the potential for furthering their attack.

Social Engineering

Having a valid email address is useful to an attacker trying to trick someone into providing more details. If an attacker has that, and is convincing enough, they can sometimes gain further access into a system. For example, calling the Helpdesk to ask for a password reset. Phishing attacks require legitimate email addresses, and that is the first step in setting up a phishing campaign. I’m no social engineer, but some of my colleagues are masters of this craft.

Denial-of-Service

An attacker could use the email address to lockout a user from their services. As remote working is common, users require access to company resources via VPNs, virtual desktops, or systems like Single Sign On. If an attacker can lock someone’s account, it prevents them from working.

It may also be possible to overload the system itself as there is an overhead to processing any data sent to a service. How big of a problem this is depends on how IT treat account lockout. A sensible policy should get someone back up and running within 30 minutes, which is a fairly short time for a human but an eternity when it comes to password guessing.

Blackmail and reputational issues

This would depend on the site that the email address has been used for, in the Ashley Madison data breach there were serious repercussions . Another problem is an employee using their company email address for social media and posting content that could harm the company reputation.

Attackers use Open Source Intelligence (OSINT) gathering techniques to discover information about a target. Information disclosure from breaches is a good way for an attacker to gather email addresses.

What should be done about it?

It’s almost impossible to prevent users from using their corporate email address for non-work related services. For some people it’s the only email address they have. However, users should be encouraged to use a personal email address that has no link to their employer. Whilst not quite as sensitive as a password, an email address is a useful piece of the puzzle that can provide a view of the bigger picture.

There are a few ways that this can be done:

  • The critical part is an Acceptable Use Policy that all employees are required to adhere to. This provides a framework that an employee can use to know what is acceptable. This not only covers access inappropriate websites but also where they can and can’t use company resources. Although it may seem slightly odd to call an email address a company resource, it definitely is.
  • Enforcing email address use is a lot harder than implementing technical controls, for example preventing users downloading malware laden documents. Using your mail server to block incoming email from external mail servers is one way. If you don’t want to have users using their corporate email address for social media for example, talk to your mail administrator about blocking incoming emails. Start with the usual suspects and move on from there.
  • All external systems should have multi-factor authentication enabled. This helps to prevent an attacker from brute forcing an account even if they do have a valid email address and, potentially a password, to use. We recommend using either a Time-based one-time password (TOTP) or Fast IDentity Online (FIDO) as they are more secure.
  • All externally accessible systems should enforce multi-factor authentication (MFA) in combination with conditional access policies. While MFA significantly reduces the risk of account compromise (even if an attacker has valid credentials) conditional access adds an extra layer of control by enforcing policies based on user location, device, risk level, or sign-in behaviour.
  • We recommend using either a Time-based one-time password (TOTP) or Fast IDentity Online (FIDO) as they are more secure.

Resources

Here’s some excellent advice on MFA:

More information on TOTP and FIDO: