n8n templatesn8n templates

Phishing analysis URLScan io and Virustotal

This workflow is designed to automate the detection and analysis of potential phishing URLs in emails, utilizing URLScan.io and VirusTotal to provide a comprehensive security assessment. By extracting URLs from unread emails and conducting parallel scans, it generates detailed security reports and notifies the security team in real-time via Slack, enhancing the accuracy and efficiency of phishing email identification. This solution is suitable for enterprise security operations, helping organizations promptly detect and respond to phishing threats, ensuring information security.

Workflow Diagram
Phishing_analysis__URLScan_io_and_Virustotal_ Workflow diagram

Workflow Name

Phishing_analysis__URLScan_io_and_Virustotal_

Key Features and Highlights

This workflow automatically detects and analyzes potential phishing URLs embedded in emails by integrating two authoritative security services: URLScan.io and VirusTotal. It delivers multi-dimensional URL security assessments along with detailed reports. Supporting both manual triggers and scheduled automatic execution, it ensures continuous monitoring of phishing threats. Real-time analysis results are pushed via Slack integration, enabling security teams to respond swiftly.

Core Problems Addressed

Phishing attacks propagate through malicious URLs, and traditional manual inspection is time-consuming, labor-intensive, and prone to oversight. This workflow automatically extracts URLs from unread emails and leverages advanced security scanning tools to detect malicious activities. It significantly improves the accuracy and efficiency of phishing email identification, helping organizations promptly detect and block phishing threats.

Use Cases

  • Automated phishing email analysis for Enterprise Security Operations Centers (SecOps)
  • Real-time phishing risk monitoring by IT security teams
  • Organizations with high email volumes needing automated threat filtering
  • Multi-channel threat detection and response through integration with security intelligence tools

Main Process Steps

  1. Trigger Mechanism: Supports manual execution via “Execute Workflow” button or scheduled triggers to start the process automatically.
  2. Email Retrieval: Connects to Microsoft Outlook to fetch all unread emails and marks them as read to avoid duplicate processing.
  3. URL Extraction: Uses Python code invoking the ioc-finder library to extract all potential URL indicators (IoCs) from email bodies.
  4. URL Validation: Checks for the presence of URLs; if none are found, skips to the next email.
  5. Parallel Scanning: Simultaneously submits extracted URLs to URLScan.io and VirusTotal for scanning.
  6. Result Waiting and Retrieval: Waits for URLScan.io to complete scanning, then retrieves detailed security reports from both platforms.
  7. Report Consolidation: Merges scan results from both sources to create a comprehensive analysis view.
  8. Filtering Valid Data: Filters out successfully obtained and complete scan results.
  9. Slack Notification: Sends Slack messages to designated channels containing the email subject, sender, send time, scan links, and security conclusions from both platforms, facilitating immediate review by security teams.

Involved Systems and Services

  • Microsoft Outlook: Email retrieval and management
  • URLScan.io: URL security scanning and website analysis
  • VirusTotal: Multi-engine malicious URL detection
  • Slack: Instant communication and alert notifications
  • n8n Built-in Nodes: Including Split In Batches, HTTP Request, Python code nodes, etc.

Target Users and Value Proposition

  • Cybersecurity analysts and security operations teams
  • IT administrators and enterprise security managers
  • Organizations seeking to automate email security detection to reduce manual workload
  • Enterprises aiming for rapid phishing threat identification and response through multi-platform security tool integration

This workflow provides enterprises with an efficient and automated phishing email URL detection solution. By combining leading-edge security technologies with flexible notification mechanisms, it greatly enhances the timeliness and accuracy of phishing threat defense, ensuring a stable information security environment.