Automate Phishing Email Detection with n8n, Gmail & Jira

1. Opening Problem Statement

Meet Sarah, an IT security analyst at a mid-sized company receiving dozens of emails every hour. Every day, Sarah spends hours manually checking suspicious emails for phishing threats, trying to identify which ones are real risks and which are harmless. This tedious process not only slows down her productivity but also leaves room for human error, resulting in missed threats or false alarms. Inaccurate detection can mean serious security breaches or wasted resources chasing false positives.

Sarah needs a reliable way to automatically analyze incoming emails, detect potential phishing threats, and create actionable tickets for her security team — all without manual intervention. This is exactly the problem our n8n workflow solves by seamlessly integrating Gmail, AI-based phishing detection, and Jira ticket automation.

2. What This Automation Does

This workflow efficiently automates the entire phishing email detection and reporting process, specifically for emails coming into Gmail accounts. When it runs, it:

• Monitors your Gmail inbox for new incoming emails in near real-time (checks every minute).
• Extracts crucial email data including subject, recipient, HTML body, plain text body, and headers for analysis.
• Uses ChatGPT (OpenAI’s GPT-4o model) to analyze the email’s HTML content and headers and assess whether it might be a phishing attempt.
• Automatically creates detailed Jira tickets in two categories: potentially malicious emails get a high-priority phishing report; benign emails get logged as safe for record-keeping.
• Generates a visual screenshot of the email’s HTML body via the hcti.io API and uploads this image as a Jira attachment, enhancing context for security analysts.
• Converts the email’s plain text body into a downloadable .txt file and attaches it to the Jira ticket as documentation.

By automating these steps, this workflow saves your security team countless hours of manual review and reduces the risk of phishing threats slipping through unnoticed.

3. Prerequisites ⚙️

• 📧 Gmail account with OAuth2 credentials authorized for n8n access
• 🔑 OpenAI account (GPT-4o model) API credentials configured in n8n
• 🔐 Jira Software Cloud account with API access tokens
• 🔌 hcti.io API account for converting HTML email bodies to screenshots
• ⏱️ n8n account to build and execute the workflow

Optional: You can self-host n8n to run this automation on your own infrastructure. For affordable hosting, Hostinger offers great plans with easy n8n setup.

4. Step-by-Step Guide to Building This Automation

Step 1: Set Up Gmail Trigger Node to Monitor Incoming Emails

Navigate to Nodes > Add Node > Gmail Trigger. Configure it with your Gmail OAuth2 credentials. Set the polling interval to every minute for near-real-time detection.
You should see the node monitoring your inbox and triggering on new emails. If it doesn’t trigger, check your Gmail credential authorization.

Common mistake: Forgetting to enable Gmail APIs in your Google Cloud Console will prevent the trigger from working.

Step 2: Extract Gmail Email Variables

Add a Set node named Set Gmail Variables connected to the Gmail Trigger. Use expressions to assign extracted fields:
htmlBody = {{$json.html}}, subject = {{$json.subject}}, recipient = {{$json.to.text}}, textBody = {{$json.text}}, and headers = {{$json.headers}}.
This prepares your data for analysis later.

Visual confirmation: The node output will show each variable set clearly for downstream usage.

Step 3: Standardize Email Data for Analysis

Connect Set Gmail Variables to another Set node named Set Email Variables. This ensures the data from different email sources (Gmail, Outlook) uses the same variable names like htmlBody, textBody, headers, subject, and recipient for consistent processing.

Step 4: Convert Email Text Body to .txt File

Add the Convert To File node set to convert from text to a file called emailBody.txt. Connect it to the Set Email Variables node. This creates a downloadable version of the email content for later attachment in Jira.

Step 5: Generate Screenshot of Email HTML

Use the HTTP Request node labeled Screenshot HTML. Set method to POST and URL to https://hcti.io/v1/image. Configure body parameters to include your email’s HTML body {{ $('Set Email Variables').item.json.htmlBody }}. Add HTTP Basic Auth credentials from your hcti.io account.

Connect the Screenshot HTML node to another HTTP Request node Retrieve Screenshot that fetches the generated screenshot from the URL returned.

Tip: This visual image provides context to analysts reviewing tickets instead of just raw text.

Step 6: Analyze Email Using ChatGPT

Insert the Analyze Email with ChatGPT node (LangChain OpenAI node). Configure it with your OpenAI GPT-4o API credentials and a custom system prompt instructing it to classify if the email is phishing based on HTML body and headers.

Example prompt snippet: “Describe the following email… Determine if it is phishing… Output JSON with fields ‘malicious’ and ‘summary’.”

Connect it after Retrieve Screenshot to analyze the content.

Step 7: Decision Node to Check if Email is Malicious

Add an If node named Check if Malicious. Set a boolean condition evaluating the API response’s malicious flag from ChatGPT. If true, route to malicious ticket creation; if false, route to benign ticket creation.

Step 8: Create Jira Tickets for Malicious and Benign Emails

Create two Jira nodes:

• Create Potentially Malicious Ticket— posts a high-priority task in your Jira Support project. Includes ChatGPT analysis summary and email details.
• Create Potentially Benign Ticket— logs a ticket under a ‘benign’ category for record-keeping and auditing.

Connect the outputs of the Check if Malicious node accordingly.

Step 9: Attachments Handling for Jira Tickets

Use a Set node Set Jira ID to capture the newly created Jira ticket’s key. Then add nodes to upload attachments:

• Rename the email screenshot file as emailScreenshot.png using a Code node.
• Upload this screenshot to the Jira ticket via a Jira node configured for issue attachments.
• Rename the email body .txt file to emailBody.txt (another Code node)
• Upload the .txt file to the Jira ticket as an attachment.

This ensures your tickets contain both visual and text context.

5. Customizations ✏️

• Add Microsoft Outlook Support: The workflow includes disabled Outlook trigger and header retrieval nodes. Enable and configure them to monitor Outlook mailboxes alongside Gmail for broader coverage.
• Change AI Model: Swap GPT-4o with another OpenAI or LangChain supported model by adjusting the modelId in the ChatGPT node for cost or availability preferences.
• Customize Jira Projects and Issue Types: Modify the Jira nodes to create tickets in different projects or with specific issue types relevant to your security process.
• Use Alternative Screenshot Services: Replace hcti.io with another HTML-to-Image API by updating the HTTP request details if preferred.
• Add Additional Email Data Extraction: Expand the Set Variables nodes to extract more email metadata like attachments count or sender IP for enhanced reporting.

6. Troubleshooting 🔧

Problem: “Gmail Trigger not firing on new emails.”
Cause: Gmail API permissions not granted or incorrect OAuth setup.
Solution: Reauthorize credentials in n8n, ensure Gmail API is enabled in Google Cloud project, and save node configuration again.

Problem: “ChatGPT returns incomplete or no JSON output.”
Cause: API prompt or response formatting issues.
Solution: Verify the prompt content includes clear instructions for JSON output. Check API keys and rate limits. Add debug nodes to inspect raw response.

Problem: “Jira ticket creation fails or no attachments uploaded.”
Cause: Invalid Jira project key or permissions.
Solution: Confirm API token has project write access. Double-check project IDs, issue type IDs, and attachment upload configurations.

7. Pre-Production Checklist ✅

• Test Gmail trigger with a sample phishing email to ensure it fires.
• Verify ChatGPT analysis node returns proper JSON with true/false malicious flag and detailed summary.
• Confirm Jira tickets are created with correct summaries and descriptions.
• Check attachments for the email screenshot and text body appear correctly in Jira issues.
• Backup your n8n workflow before activating in production.

8. Deployment Guide

Activate the Gmail Trigger node to start monitoring your mailbox. Ensure all credentials are authorized and valid. Monitor execution logs inside n8n to verify proper flow of data through the nodes. Regularly audit Jira tickets created by the system to confirm accurate classification. Consider setting alerting for failures or unexpected outputs.

9. FAQs

Q: Can this workflow analyze emails from Outlook?
A: Yes, the workflow includes disabled nodes for Microsoft Outlook integration that you can enable and configure to process Outlook emails too.

Q: Does using OpenAI ChatGPT consume API credits?
A: Yes, each analysis sends a request to OpenAI’s API which incurs usage costs based on your plan.

Q: Is my email data secure?
A: Your data is processed within your n8n instance and transferred securely via OAuth and HTTPS. However, data sent to OpenAI and hcti.io follows their respective privacy policies.

10. Conclusion

By following this guide, you’ve built a sophisticated automation that catches phishing emails from your Gmail inbox and promptly logs detailed issues in Jira, complete with AI analysis and visual attachments. This saves your security team hours of manual review daily and reduces risk from phishing attacks significantly.

Next, you might extend this workflow to include SMS alerts for critical tickets or integrate with other email providers like Outlook. With n8n’s flexible platform, the possibilities to enhance your email security automation are endless.