The normal, non S.E, route I would have taken in this scenario is first do a dns bruteforce to try to find what servers the company has, and if any of them is named mail.companyname.com or similar, then I would have done a daemon fingerprint on the most promising servers with tools like nmap.
I would also try to send a mail to they'r support or customer relations department asking a easy and simple question, and examined the mail header of the replay for any clues.
If the company has any offices i driving distance from my location, I would also pack my war driving kit, take a field trip, try to access the network, and ARP poision it, and capture the packets, to see which sites and which protocols the staff uses.