Automate Email Phishing Detection with n8n

Email remains one of the most common attack vectors for cybercriminals. Every day, security teams face a relentless flood of messages, many containing links designed to steal credentials, install malware, or compromise entire networks. Manually checking every suspicious email is time consuming and prone to human error. By the time someone realizes a link is malicious, the damage may already be done.

This is where automation changes the game. With n8n, you can build a phishing detection workflow that automatically monitors your inbox, extracts URLs from incoming emails, scans them using industry-leading security tools, and alerts your team through Slack. The entire process runs in the background, giving you instant visibility into potential threats without lifting a finger.

This workflow connects Microsoft Outlook with VirusTotal and URLScan.io to create a powerful early warning system. When a new email arrives, the system springs into action, marking it as read, extracting any embedded URLs, submitting them for analysis, and delivering a comprehensive security report straight to your Slack channel. No manual intervention required.

Prerequisites: What You Need to Get Started

Before building this automated phishing detection system, you need access to a few key services. Each plays a specific role in the security scanning pipeline.

Required API Accounts:

• Microsoft Outlook: Your email source. You need OAuth2 credentials to let n8n read and mark messages as read.
• VirusTotal API: A threat intelligence platform that checks URLs against dozens of security vendors. Sign up for a free account to get your API key.
• URLScan.io API: Provides detailed analysis of website behavior, screenshots, and threat indicators. Register for free access.
• Slack: Your notification destination. Create a Slack app with OAuth2 permissions to post messages to your security channel.

Once you have these credentials configured in n8n, you can start connecting the pieces.

Key Components: The Building Blocks of Threat Detection

This workflow uses several specialized n8n nodes, each handling a specific task in the security pipeline. Understanding what each does helps you customize the workflow for your needs.

• Schedule Trigger: Runs the workflow automatically at regular intervals, checking for new emails every hour.
• Manual Trigger: Lets you test the workflow on demand without waiting for the schedule.
• Microsoft Outlook: Retrieves unread messages and marks them as read after processing.
• Code Node: Extracts URLs from email bodies using regex pattern matching.
• Split in Batches: Processes emails one at a time to avoid overwhelming the API rate limits.
• HTTP Request Nodes: Submit URLs to VirusTotal and retrieve analysis results.
• URLScan.io Nodes: Trigger URL scans and fetch detailed security reports.
• Wait Node: Gives URLScan.io enough time to complete its analysis before retrieving results.
• IF and Filter Nodes: Control workflow logic based on whether URLs exist and scans complete successfully.
• Merge Node: Combines reports from both security services into a single output.
• Slack Node: Sends formatted security alerts to your team channel.

Building the Workflow: Step by Step Implementation

Step 1: Monitor Your Inbox for Unread Messages

The workflow begins by checking your Microsoft Outlook inbox. Configure the Schedule Trigger to run every hour, or use the Manual Trigger for testing. The Get All Unread Messages node pulls up to five unread emails at once. This limit prevents overwhelming your security APIs while still catching threats quickly.

image_1.png

After retrieving messages, the workflow immediately marks them as read so they do not get processed twice. The Split in Batches node then takes over, feeding emails one at a time into the analysis pipeline.

Step 2: Extract URLs from Email Content

Not every email contains links, and not every link is suspicious. The Find Indicators of Compromise node uses a Code node with JavaScript to scan the email body for URLs. It applies a regular expression pattern that matches HTTP and HTTPS links, extracting them into a clean list. Each discovered URL becomes a separate item in the workflow, ready for security scanning. If no URLs exist, the workflow skips ahead to process the next email, saving resources.

Step 3: Submit URLs to Security Scanners

Here is where the real magic happens. The workflow sends each extracted URL to two different security platforms simultaneously. VirusTotal checks the URL against over 70 antivirus engines and website scanners, providing a comprehensive threat verdict. URLScan.io takes a different approach, actually visiting the website, capturing screenshots, and analyzing its behavior. Both services run in parallel, maximizing speed. The VirusTotal node submits the URL and immediately retrieves the analysis ID. URLScan.io returns a scan ID that we use later to fetch the full report.

Step 4: Wait for Scan Results and Handle Errors

Security scans take time. URLScan.io typically needs about 60 seconds to fully analyze a website, so the workflow includes a Wait node that pauses before requesting the final report.

image_2.png

Meanwhile, VirusTotal processes faster, and the workflow retrieves its results right away.

image_3.png

Error handling keeps everything running smoothly. If URLScan.io encounters an error (maybe the site is down), the No Error conditional node catches it and tries again after waiting. This resilience ensures you get results even when individual scans fail.

Step 5: Merge Reports and Alert Your Team

After both security services complete their analysis, the Merge Reports node combines the data into a single, comprehensive view. The workflow then checks if valid data exists using a Filter node. Empty results get discarded, while complete reports move forward to Slack. The final Slack message includes the email subject, sender address, timestamp, and direct links to both the URLScan and VirusTotal reports.

image_4.png

Your security team can click through to see detailed analysis, threat scores, and screenshots. The VirusTotal verdict appears as a ratio, showing how many security vendors flagged the URL as malicious or suspicious.

Real World Benefits: Why This Workflow Matters

Automating phishing detection delivers immediate value across multiple areas of security operations. First, it dramatically reduces response time. Instead of waiting for someone to manually review suspicious emails, your team gets instant alerts the moment a threat appears. This speed can mean the difference between stopping an attack and dealing with a breach.

Second, it scales effortlessly. Whether you receive five suspicious emails a day or fifty, the workflow handles them all without additional effort. Security teams can focus on investigating confirmed threats rather than sifting through every message looking for danger.

Third, it creates an audit trail. Every scanned email and its security verdict gets logged, giving you historical data for threat analysis and compliance reporting. You can track trends, identify repeat offenders, and improve your email filtering rules over time.

Common use cases extend beyond basic phishing detection. Security operations centers use this workflow to triage incoming reports from employees who forward suspicious emails. IT departments deploy it to monitor shared inboxes that receive external communications. Managed service providers run multiple instances, each monitoring different client email accounts. The flexibility of n8n means you can adapt the workflow to match your specific security requirements.

Taking It Further

This workflow provides a solid foundation, but you can extend it in many directions. Add a database node to store scan results for long term analysis. Include a Decision node that automatically quarantines emails with high threat scores. Connect to your SIEM platform to correlate email threats with other security events. Integrate with Microsoft Defender to automatically block malicious senders. The modular nature of n8n makes these enhancements straightforward to implement.

Phishing attacks will not stop, but your response to them can be faster, smarter, and fully automated. With this n8n workflow running in the background, you gain a tireless security assistant that never sleeps, never misses a suspicious link, and always keeps your team informed. Build it once, and let automation do the heavy lifting.