"On one visit Doug couldn't help but notice a multifunction laser printer that had been hooked up to a neighbouring network, but left wide open to the world."
"So one day Doug dug into the printer's web interface and figured out how enough about the network to which it was connected to learn the name of the company that owned it"
"And because he knew enough about the company to also send a document to the printer by email..."
Er... which is it? Is it open to the world, or did it have the print-by-email switched on? Was it open to the network and exposing the address book, or was the web interface open, or was it browseable?
Because something doesn't add up here, as an anecdote.
If the printer is insecure, and you SEE THE PRINTER, leave a Post-It on it.
If the printer isn't visible but you found it on the network, just print to it.
But, no, he went hunting on LinkedIn, then probed mail settings, and then the address book stuff? Address book from the printer? On an MFP it might contain certain people who've scanned, etc. but if the AD is open enough that you can just get a list of all users then that's a bigger problem than an open printer.
My biggest question, really, though, is how you're able to access another company's network whatsoever. Even in a shared office. Because that's the REAL problem here. If one office can happily send broadcast to everyone, or probe IP addresses and web interface of any internal devices, that's a much serious problem - just think of WannaCry.
Techy detail please, when he says he could "see" this printer, and the configuration of that network that allows him to see that that DOESN'T come down to "Holy cow the whole site is insecure, but hey, let's play games with a printer".