Automate Phishing Email Detection with Gmail, Jira & ChatGPT

1. Opening Problem Statement

Meet Laura, the IT security analyst at a midsized company handling over 300 emails daily. She spends hours sifting through inboxes trying to spot phishing attempts manually—copying email content, checking headers, and escalating suspicious cases to the security team. This tedious process wastes at least 4 hours per day and frequently results in delayed responses to real threats, increasing the risk of security breaches and costly data loss.

Laura’s challenge is not just time consumption but also error-prone manual investigations that lack consistent documentation and visual evidence. What if there was a way to instantly capture suspect emails, analyze them intelligently, and create detailed, well-documented tickets for her security team—all automatically?

2. What This Automation Does

This n8n automation workflow designed specifically for phishing email detection from Gmail offers the following outcomes when it runs:

• Real-time email capture: Emails are detected every minute from Laura’s Gmail inbox using the Gmail Trigger node.
• Structured email data extraction: The workflow extracts email subject, recipient, body (both text and HTML), and headers, organizing them for further processing.
• Email visualization: Converts the email’s HTML content into a screenshot image using the hcti.io API, capturing the email’s visual layout perfectly.
• Phishing analysis with AI: Employs ChatGPT-4 via the LangChain node to analyze the email headers and content image to detect phishing risks, delivering a concise, actionable report.
• Automatic Jira ticket creation: The workflow creates a Jira task with all extracted info, ChatGPT’s analysis, and attaches the email screenshot for easy review and audit.
• Streamlined incident management: Enables Laura’s security team to immediately prioritize and investigate suspicious emails with complete visual and contextual data at hand.

By automating these steps, Laura saves at least 3 hours daily previously spent on manual email reviews and documentation, improving both efficiency and security posture.

3. Prerequisites ⚙️

• Gmail account: Integrated via the Gmail Trigger node to capture incoming emails in real time. 📧
• hcti.io API account: To convert HTML email content into screenshots via HTTP Request nodes.
• OpenAI account: For ChatGPT-4 access via LangChain node for AI-driven phishing analysis. 🔑
• Jira Software Cloud account: Connected via Jira node to automate phishing report ticket creation. 📁
• n8n automation platform account: To build and run the workflow. Optionally self-host with services like Hostinger for local control. 🔌

4. Step-by-Step Guide

Step 1: Set up Gmail Trigger for Incoming Emails

Navigate to Nodes > Add Node > Email > Gmail Trigger. Connect your Gmail OAuth2 credentials. Set the node to check emails every minute using “Poll Times” option. This node detects new emails and outputs detailed message data for the workflow.

Expected: Gmail node triggers on each incoming email with full JSON data including headers, subject, recipients, and body content.

Tip: Ensure your Gmail account has proper OAuth2 permissions; otherwise, no emails will be captured.

Step 2: Extract and Structure Email Data with Set Gmail Variables Node

Add a Set node after Gmail Trigger named “Set Gmail Variables”. Configure variables to capture htmlBody (email HTML), subject, recipient, textBody, and headers from incoming email JSON. Use expressions like {{$json.html}} and {{$json.subject}}.

You should see these variables neatly assigned, ready for later nodes.

Common issue: Missing fields if your Gmail data is incomplete; double-check trigger configurations.

Step 3: Prepare Email Content for Screenshot Generation

Add another Set node named “Set Email Variables” that passes along the structured variables needed for the screenshot service. It includes the htmlBody variable prepared above.

Expected: This node formats your email’s raw HTML effectively for the next HTTP Request.

Step 4: Generate Screenshot Using hcti.io API

Use the HTTP Request node “Screenshot HTML” configured to POST to https://hcti.io/v1/image. Send a body parameter with the key html and value set to the email’s HTML body (e.g., {{$json.htmlBody}}). Include basic auth credentials from your hcti.io account.

Expected: The node returns a JSON including a URL for the generated screenshot image.

Tip: For privacy, be aware this sends email content to a third party; consider self-hosted alternatives if sensitive.

Step 5: Retrieve Screenshot Image URL

Follow “Screenshot HTML” with another HTTP Request node “Retrieve Screenshot” to GET the screenshot from the URL received in the previous step. Use basic auth for access.

This node downloads the screenshot file data to be attached to the Jira ticket later.

Step 6: Use ChatGPT for Phishing Email Analysis

Add the ChatGPT Analysis node from LangChain OpenAI integration. Pass the screenshot’s base64 data and the email headers as parameters in the prompt to analyze for phishing indicators.

Example prompt: “Describe this image. Determine if the email could be a phishing email. The message headers are as follows: {{headers}}”

Expected: An AI-generated response indicating phishing likelihood, formatted for Jira.

Step 7: Create Detailed Jira Ticket Automatically

Use the Jira node “Create Jira Ticket” to create a new issue in your Jira project. Include the email subject, recipient, text body, and ChatGPT analysis in the ticket description.

Common mistake: Ensure your Jira API credentials have proper permissions to create tickets and upload attachments.

Step 8: Rename and Upload Screenshot Attachment to Jira

First, a Code node “Rename Screenshot” sets the file name to emailScreenshot.png for consistency.

Then, an Upload Screenshot of Email to Jira node attaches this screenshot file to the newly created Jira issue, providing visual context.

Expected outcome: Every phishing ticket contains both textual and visual evidence, saving manual screenshots and extra steps.

5. Customizations ✏️

• Enable Microsoft Outlook Trigger: In this workflow, the Outlook trigger node is disabled by default but can be enabled to monitor Outlook inboxes similarly. Toggle the node on and configure credentials to support multiple email providers.
• Adjust Email Polling Frequency: Change “every minute” polling in the Gmail Trigger to a custom interval, balancing speed and API rate limits by editing the node’s Poll Times settings.
• Customize AI Analysis Prompt: Modify the ChatGPT node prompt text to fit your security team’s terminology or to extend analysis such as detecting spear phishing, sender impersonation, or malware links.
• Local HTML to Image Rendering: Replace the hcti.io API nodes with a self-hosted solution using the n8n CLI tool or Puppeteer for better security and no external exposure of email content.
• Jira Ticket Fields: Add custom Jira fields or labels in the “Create Jira Ticket” node to categorize phishing attempts by severity or department, improving ticket triage.

6. Troubleshooting 🔧

Problem: “No emails triggering the Gmail Trigger node.”
Cause: OAuth2 authorization missing or expired.
Solution: Re-authenticate Gmail credentials in n8n, ensure Gmail API is enabled, and confirm the email filters (if any) allow all emails.

Problem: “Screenshot generation fails or returns errors.”
Cause: API rate limits or incorrect authentication with hcti.io.
Solution: Verify API keys and credentials, ensure the POST request body is valid, and monitor API usage limits.

Problem: “Jira tickets not created or missing attachments.”
Cause: Insufficient Jira permissions or incorrect issue key references.
Solution: Check Jira credentials, permissions, and ensure attachment node references the right issue key from ticket creation.

7. Pre-Production Checklist ✅

• Verify Gmail OAuth2 credentials and enable access scope to receive email data.
• Test hcti.io API credentials by manually calling the image generation API outside n8n.
• Validate OpenAI API keys for uninterrupted ChatGPT access with sufficient quota.
• Confirm Jira credentials and permissions for creating issues and uploading attachments.
• Run workflow on sample emails and verify screenshots, AI analysis, and Jira tickets are generated correctly.

8. Deployment Guide

Activate the workflow by toggling it on in n8n. Monitor executions through n8n’s workflow run logs to ensure smooth operation. For ongoing monitoring, set up alerting on execution failures. If self-hosted, you can configure watchdog timers or external heartbeat monitors for uptime.

This workflow integrates with cloud APIs for Gmail, hcti.io, OpenAI, and Jira—regularly check API limits and renew credentials as needed.

9. FAQs

Q: Can I use this workflow with Outlook instead of Gmail?
A: Yes, the workflow includes a Microsoft Outlook Trigger node that can be enabled and configured similarly to monitor Outlook inboxes.

Q: Does this workflow consume a lot of API credits?
A: It uses several external APIs, so usage depends on email volume. Check hcti.io, OpenAI, and Jira API limits to manage costs.

Q: Is sending email content to hcti.io secure?
A: This workflow sends HTML content to hcti.io for screenshot generation. For sensitive information, consider self-hosting the rendering process locally.

10. Conclusion

By following this detailed, step-by-step guide, you’ve built an automated phishing email detection system using Gmail, ChatGPT, and Jira via n8n. Not only does it save hours of manual investigation daily, but it also enriches your security team’s incident response with detailed textual and visual evidence in Jira tickets.

Laura’s story turns from overwhelmed analyst to empowered security expert, reducing risk exposure and improving workflow efficiency. Next, you can explore automating remediation steps, integrating additional email providers, or expanding AI analysis capabilities for advanced threat detection.