Phishing Analysis Automation with n8n, URLScan.io & VirusTotal

1. Opening Problem Statement

Meet Giulio, a cybersecurity analyst responsible for safeguarding his organization against the frequent deluge of phishing emails targeting employees. Each day, Giulio spends hours manually sifting through countless unread emails in Microsoft Outlook, trying to identify potentially malicious URLs. This manual process is not only time-consuming, often taking 3-4 hours daily, but it’s also prone to errors—missing a malicious link could lead to significant security breaches and financial losses.

Giulio realized he needed a reliable, automated solution to instantly extract URLs from emails, scan them for threats, and notify his team promptly, without adding to the workload.

2. What This Automation Does

This specific n8n workflow automates the entire phishing URL analysis process by integrating Microsoft Outlook, URLScan.io, VirusTotal, and Slack. Whenever triggered, either manually or on a schedule, it:

• Fetches all unread emails in Microsoft Outlook flagged as unread.
• Automatically marks each processed email as read to avoid duplicate scans.
• Extracts URLs from the email content using a Python script detecting Indicators of Compromise (IoCs).
• Scans each extracted URL with both URLScan.io and VirusTotal to detect malicious behavior.
• Waits for the scanning services to complete their analyses before retrieving detailed reports.
• Consolidates these findings and posts a comprehensive alert message summarizing the results on a designated Slack channel.

By automating this process, Giulio saves upwards of 3 hours per day and drastically reduces the risk of missing harmful URLs, providing his team with timely, actionable intelligence.

3. Prerequisites ⚙️

• Microsoft Outlook account 📧 with OAuth2 credentials configured in n8n for accessing unread emails.
• VirusTotal API key 🔐 for URL scanning requests.
• URLScan.io API key 🔐 set up in n8n for website scanning.
• Slack workspace and Bot Token 🔑 to post notifications.
• n8n automation platform account or self-hosted instance ⏱️ (Self-hosting gives more control. Learn more at https://buldrr.com/hostinger.)

4. Step-by-Step Guide

Step 1: Setup the Trigger

In n8n, add a Schedule Trigger node to run the workflow at desired intervals or use the Manual Trigger node for on-demand execution. For scheduling, set your preferred frequency (e.g., every hour).

You should see a node labeled Schedule Trigger connected downstream. This automates regular scans without manual intervention.

Common mistake: Forgetting to activate the trigger node, leading to no runs.

Step 2: Fetch Unread Emails from Outlook

Add a Microsoft Outlook node configured to Get All messages with filter isRead eq false. This fetches all unread emails in your mailbox.

Ensure you have connected Microsoft Outlook credentials. After running, you’ll see a list of unread emails including fields like subject, sender, and body content.

Common mistake: Not configuring OAuth2 credentials correctly, which will cause authentication errors.

Step 3: Mark Emails as Read

Post-fetch, add another Microsoft Outlook node set to Update operation to mark each retrieved email as read using its message ID. This prevents reprocessing.

Step 4: Split Emails into Batches

Use the Split In Batches node to process each email individually. Set batch size to 1. This allows sequential handling, making debugging simpler and workload manageable.

Step 5: Detect URLs Using Python Code

Add a Code node with Python language to extract URLs. Paste this snippet:

try:
  from ioc_finder import find_iocs
except ImportError:
  import micropip
  await micropip.install("ioc-finder")
  from ioc_finder import find_iocs

text = _input.first().json['body']['content']
iocs = find_iocs(text)

return [{"json": { "domain": item }} for item in iocs["urls"]]

This uses the ioc-finder library to find URLs (Indicators of Compromise) in the email content.

Common mistake: Running a Python environment without micropip available, which this script handles by installing the package dynamically.

Step 6: Check if URLs Exist

A If node verifies whether the extracted URLs are not empty. If empty, it skips URL scanning and moves to next email batch.

Step 7: Submit URL to URLScan.io

Add the URLScan.io node set to Scan URL, passing the detected URL. Configure with your API credentials. This sends the URL for security scanning.

Set the node to continue on fail, so errors here don’t stop entire workflow.

Step 8: Submit URL to VirusTotal

Use an HTTP Request node to POST the URL to VirusTotal’s scanning endpoint. Configure with your VirusTotal API credentials and proper query parameters.

Step 9: Wait for Results

Add a Wait node for 60 seconds to allow scanning services sufficient time to complete their analysis.

Step 10: Retrieve URLScan.io Report

Use URLScan.io node with Get Report operation to fetch detailed results from the previous scanning step.

Step 11: Retrieve VirusTotal Report

Use another HTTP Request node configured to get the VirusTotal analysis report, parsing the scan ID returned previously.

Step 12: Merge Both Reports

Add a Merge node set to combine by position to align URLScan.io and VirusTotal reports side-by-side.

Step 13: Filter Non-Empty Results

Add a Filter node to make sure only finish scanned URLs continue to reporting to Slack.

Step 14: Send Slack Notification

Finally, add a Slack node to send a formatted message summarizing the email subject, sender, and date along with scanning results for each URL.

This Slack alert is your team’s prompt to investigate suspicious links immediately.

5. Customizations ✏️

• Change email provider: Replace Microsoft Outlook nodes with Gmail node if you use Gmail. Re-map relevant fields accordingly.
• Adjust scanning frequency: Modify Schedule Trigger node to run every 30 minutes or daily, to fit your team’s operational needs.
• Enhance alert details: Add more details to Slack message, like a summary of detected malware types by extracting from VirusTotal’s results attribute.
• Add additional IoC types: Extend the Python code to extract IP addresses or hashes alongside URLs using the ioc-finder library.
• Post reports to other channels: You can add nodes for email notifications or Microsoft Teams instead of or besides Slack.

6. Troubleshooting 🔧

Problem: “Authentication failed” while fetching emails.

Cause: Incorrect or expired OAuth2 token.

Solution: Go to Credentials, refresh or reauthorize Outlook OAuth2 credential. Test connection in n8n nodes.

Problem: “VirusTotal API quota exceeded” error.

Cause: Hitting free API limits too frequently.

Solution: Upgrade VirusTotal plan or reduce scan frequency in Schedule Trigger.

Problem: URLScan.io node returns errors causing workflow interruption.

Cause: Network/credential issues or rate limiting.

Solution: Enable “Continue on Fail” in URLScan node to avoid stopping workflow. Also check API key validity.

7. Pre-Production Checklist ✅

• Verify Microsoft Outlook credential with test fetch returning unread emails.
• Confirm VirusTotal and URLScan.io API keys are valid and active.
• Run manual test triggering the workflow, ensure it processes at least one email URL and posts to Slack.
• Check Slack channel ID and token permissions allow posting messages.
• Ensure the Python code runs in your environment (no syntax errors and micropip installs correctly).

8. Deployment Guide

Once fully tested, activate the workflow by toggling it from inactive to active on the n8n dashboard.

Adjust the Schedule Trigger frequency to your preferred interval for continuous monitoring. Monitor executions in n8n to spot any errors and address immediately.

Keep an eye on Slack notifications to ensure phishing detections are timely and accurate.

9. FAQs

Q: Can I use other email providers instead of Microsoft Outlook?
A: Yes, n8n supports Gmail, IMAP, and others. You’ll need to set credentials accordingly and update the node fields.

Q: Does scanning URLs consume VirusTotal API credits?
A: Yes, each URL scan uses your API quota. Consider API limits in your scheduling.

Q: How secure is my data?
A: Data is processed within your n8n instance and transferred to trusted APIs over HTTPS. Keep your credentials secure.

Q: Can this handle high email volumes?
A: Yes, the Split In Batches node allows processing emails sequentially but at scale. Monitor performance accordingly.

10. Conclusion

By following this comprehensive tutorial, you’ve built a specialized n8n workflow that automatically analyzes URLs from unread Microsoft Outlook emails for phishing threats using URLScan.io and VirusTotal. You’ve drastically cut down manual review time, minimized the chance of missing dangerous URLs, and empowered your security team with timely Slack alerts.

This automation can save Giulio and his team up to 3-4 hours daily and significantly reduce security risks associated with phishing attacks.

Next steps? Consider expanding to analyze IP addresses and file hashes, integrate incident response systems, or add more alert channels like Microsoft Teams to enhance your cybersecurity posture even further.

Keep iterating and securing your organization with n8n!