Description
Overview
This email phishing detection automation workflow employs an event-driven analysis to continuously monitor incoming Gmail messages, extracting key email components for AI-powered evaluation. Designed for security teams and IT administrators, this orchestration pipeline systematically analyzes email content and headers to classify potential phishing threats, enabling structured reporting via Jira integration.
Key Benefits
- Automates email monitoring and threat detection using AI-driven event-driven analysis.
- Generates both textual and visual representations of emails for comprehensive review.
- Integrates seamlessly with Gmail and Jira to streamline phishing report management.
- Classifies emails deterministically as malicious or benign using structured AI outputs.
Product Overview
This no-code integration workflow triggers on new Gmail messages, polling every minute to capture email data including subject, recipients, HTML body, text body, and headers. The workflow extracts and normalizes these components into variables for consistent processing. The email’s HTML body is sent to an external screenshot service to generate a visual snapshot, while the plain text body is converted to a .txt file format. Using the GPT-4o model via an AI node, the email’s content and headers are analyzed to identify phishing indicators with a structured JSON response indicating maliciousness and verbose explanation. Based on the AI classification, the workflow conditionally creates Jira tickets labeled either potentially malicious or benign, attaching the generated screenshot and email body file for ticket context. This workflow operates synchronously within n8n’s environment, relying on OAuth2 credentials for Gmail and Jira, and HTTP Basic Authentication for the screenshot API. Error handling defaults to platform mechanisms without custom retry logic. Data processing is transient, with no persistent storage outside Jira attachments.
Features and Outcomes
Core Automation
This event-driven analysis workflow ingests emails via a Gmail trigger, extracting HTML bodies and headers before routing data through AI evaluation nodes to classify phishing risks.
- Single-pass evaluation with conditional branching based on AI phishing classification.
- Deterministic handling of email content and headers for consistent threat assessment.
- Automated ticket creation contingent on AI-generated malicious flag.
Integrations and Intake
The orchestration pipeline connects to Gmail using OAuth2 for secure access, retrieving full email fields every minute. It also prepares for Microsoft Outlook integration, currently disabled, using the Microsoft Graph API for detailed header retrieval.
- Gmail Trigger node polls new emails with OAuth2 authentication.
- Microsoft Outlook Trigger and header retrieval nodes configured but inactive.
- External screenshot generation via hcti.io API using HTTP Basic Authentication.
Outputs and Consumption
The workflow outputs structured JSON analysis results and generates Jira tickets containing detailed email reports. Email content is delivered as both image and text attachments to Jira synchronously following ticket creation.
- Jira tickets created with detailed summaries based on AI analysis.
- Attachments include a PNG screenshot of the email and a .txt file of the email body.
- Structured JSON output from AI node includes malicious flag and verbose explanation.
Workflow — End-to-End Execution
Step 1: Trigger
The workflow initiates on new emails detected by the Gmail Trigger node, which polls the Gmail account every minute via OAuth2 authentication to capture incoming messages including subject, recipients, body, and headers.
Step 2: Processing
Email components are extracted and assigned to variables using Set nodes. The HTML body and headers are prepared for analysis. Basic presence checks ensure required fields are present before further processing.
Step 3: Analysis
The HTML body is sent to an external API to generate a screenshot, which is retrieved and renamed for clarity. Simultaneously, the email body is converted to a text file. The AI node analyzes the email’s content and headers using GPT-4o, returning a JSON object indicating phishing risk with detailed rationale.
Step 4: Delivery
Based on the AI classification, the workflow creates a Jira ticket categorized as potentially malicious or benign. The generated email screenshot and text file are uploaded as attachments to the corresponding Jira issue, enabling security teams to review both visual and textual email evidence.
Use Cases
Scenario 1
Security teams require automated detection of phishing attempts in incoming Gmail accounts. This workflow provides a no-code integration that continuously monitors emails, analyzes them with AI, and generates Jira tickets for flagged threats, ensuring a structured and consistent incident response process.
Scenario 2
IT administrators need to document suspicious email content visually and textually for compliance. The workflow converts email HTML bodies into screenshots and text files, attaching both to Jira tickets, facilitating thorough audit trails and evidence preservation.
Scenario 3
Organizations aim to streamline phishing report handling by automatically classifying emails. This event-driven analysis pipeline uses AI to evaluate email headers and content, deterministically generating categorized Jira tasks to reduce manual triage workload.
Comparison — Manual Process vs. Automation Workflow
| Attribute | Manual/Alternative | This Workflow |
|---|---|---|
| Steps required | Multiple manual steps: email retrieval, analysis, screenshot creation, ticket filing. | Fully automated single-pass email ingestion to ticket generation. |
| Consistency | Subject to human error and variable analysis criteria. | Deterministic AI-driven evaluation with standardized reporting format. |
| Scalability | Limited by human capacity and manual processing time. | Scales with email volume, polling every minute and automated processing. |
| Maintenance | Requires ongoing training and process updates for staff. | Depends on external APIs and credential management; low manual intervention. |
Technical Specifications
| Environment | n8n automation platform |
|---|---|
| Tools / APIs | Gmail API, hcti.io screenshot API, OpenAI GPT-4o, Jira API |
| Execution Model | Event-driven, synchronous processing per email |
| Input Formats | Gmail email payloads including HTML and text bodies, headers |
| Output Formats | Jira issues with JSON summaries, PNG screenshots, text attachments |
| Data Handling | Transient processing; no persistent storage except Jira attachments |
| Known Constraints | Relies on availability of external APIs (hcti.io, OpenAI, Jira) |
| Credentials | OAuth2 for Gmail and Jira; HTTP Basic Auth for screenshot API |
Implementation Requirements
- Valid OAuth2 credentials for Gmail account access and Jira API authentication.
- HTTP Basic Authentication credentials for hcti.io screenshot API integration.
- Network access allowing outbound HTTPS requests to Gmail, OpenAI, hcti.io, and Jira endpoints.
Configuration & Validation
- Configure Gmail Trigger node with OAuth2 credentials and verify polling frequency.
- Validate AI node integration with OpenAI GPT-4o model and confirm JSON output format.
- Test Jira nodes by creating sample tickets and uploading attachments without errors.
Data Provenance
- Trigger: Gmail Trigger node polling new emails every minute (OAuth2 authenticated).
- AI Analysis: Analyze Email with ChatGPT node using GPT-4o model for phishing classification.
- Output: Jira ticket creation nodes managing issue generation and attachment uploads.
FAQ
How is the email phishing detection automation workflow triggered?
The workflow is triggered by the Gmail Trigger node, which polls the Gmail account every minute using OAuth2 to detect new incoming emails.
Which tools or models does the orchestration pipeline use?
The orchestration pipeline uses Gmail API for intake, hcti.io API for screenshot generation, OpenAI GPT-4o model for AI-powered email content and header analysis, and Jira API for ticket management.
What does the response look like for client consumption?
The workflow creates Jira tickets containing structured JSON summaries from AI analysis, along with attachments including a screenshot PNG and a text file of the email body for comprehensive review.
Is any data persisted by the workflow?
The workflow does not persist data internally; email content and screenshots are transiently processed and stored only as attachments within Jira tickets.
How are errors handled in this integration flow?
Error handling relies on n8n platform defaults; there is no custom retry or backoff logic implemented within the workflow nodes.
Conclusion
This email phishing detection automation workflow provides a dependable, AI-driven solution for continuous email security monitoring by extracting, analyzing, and reporting suspicious emails. It delivers deterministic phishing classification and integrates with Jira for structured incident tracking. While it automates critical analysis and documentation steps, the workflow depends on external API availability for screenshot generation and AI evaluation, which should be considered when implementing in production environments.
Reviews
There are no reviews yet.