Description
Overview
This phishing email detection automation workflow provides an event-driven analysis pipeline designed to monitor incoming Gmail messages and process potential phishing attempts. It is intended for security teams and IT professionals who require a deterministic, no-code integration solution that transforms email content into actionable insights with visual and AI-enhanced context.
Key Benefits
- Continuous Gmail inbox polling every minute ensures near real-time email monitoring.
- Automated extraction and normalization of email components for consistent analysis.
- Generates accurate visual screenshots of email HTML for improved phishing assessment.
- Leverages AI-powered phishing detection with ChatGPT-4, providing detailed, formatted analysis.
- Seamlessly integrates with Jira to create detailed tickets including screenshots and AI reports.
Product Overview
This phishing email detection automation workflow is triggered by a Gmail trigger node configured to poll every minute, initiating the process upon new email arrival. The workflow extracts key email fields including the HTML body, subject, recipient, and headers, normalizing data through variable-setting nodes. The email’s HTML content is sent to an external screenshot API to generate a visual image, preserving the email’s original format for enhanced human and AI review.
Subsequently, the workflow invokes an AI-powered ChatGPT-4 node with vision capabilities to analyze the email screenshot and headers, determining phishing likelihood. The AI response is formatted for Jira’s wiki-style renderer. Finally, the workflow creates a Jira ticket with structured email details and attaches the renamed screenshot, providing a full phishing incident report. Error handling relies on n8n’s default retry mechanisms, with no additional custom logic configured. Authentication is managed through OAuth2 for Gmail and basic HTTP authentication for the screenshot API, ensuring secure, transient data processing without persistence beyond the workflow.
Features and Outcomes
Core Automation
This orchestration pipeline processes incoming Gmail emails by extracting content and headers, then generating visual and AI analyses to detect phishing risks. The workflow includes conditional branching to unify data from multiple sources for consistent downstream processing.
- Single-pass evaluation of email content and headers for phishing indicators.
- Deterministic transformation of HTML email bodies into screenshots for visual context.
- Automated creation of structured Jira tickets integrating AI insights and visual evidence.
Integrations and Intake
This no-code integration solution connects to Gmail via OAuth2 for secure email monitoring. Although Microsoft Outlook integration is present but disabled, the workflow leverages HTTP requests authenticated with basic credentials for screenshot generation and Jira API access. Incoming payloads consist of standard email JSON objects, including headers and HTML bodies.
- Gmail Trigger node polls inbox every minute for new messages.
- hcti.io API used to convert HTML email bodies into images.
- Jira Software Cloud API employed for automated issue creation and attachment upload.
Outputs and Consumption
Outputs include a Jira ticket with fields for recipient, subject, email body, and AI phishing analysis formatted for wiki-style rendering. The image screenshot of the email is attached as a PNG file. The workflow operates asynchronously, delivering outputs to Jira as downstream records.
- Jira issue summaries include email subject lines for traceability.
- Detailed AI-generated phishing analysis embedded in ticket descriptions.
- Email screenshot attached as “emailScreenshot.png” for visual reference.
Workflow — End-to-End Execution
Step 1: Trigger
The workflow is initiated by the Gmail Trigger node configured to poll the Gmail inbox every minute. This trigger detects new incoming emails and passes the complete email JSON payload, including headers and body, into the workflow.
Step 2: Processing
Email components such as the HTML body, subject, recipient address, headers, and plain text body are extracted and assigned to variables using the Set Gmail Variables node. Basic presence checks ensure required fields are available before proceeding. The data is normalized for uniform downstream processing.
Step 3: Analysis
The email’s HTML content is sent to an external HTTP request node calling the hcti.io screenshot API, which generates an image of the email’s visual layout. The Retrieve Screenshot node fetches the image URL. Then, the ChatGPT Analysis node uses a ChatGPT-4 model with vision capabilities to analyze the screenshot and email headers, producing a formatted phishing risk assessment.
Step 4: Delivery
The Create Jira Ticket node compiles the email subject, recipient, body, and AI-generated analysis into a new Jira issue. The screenshot file is renamed to “emailScreenshot.png” before being attached to the Jira ticket, ensuring a complete record for incident response teams.
Use Cases
Scenario 1
Security teams need to identify phishing emails rapidly from Gmail inboxes. This automation workflow detects new emails, generates visual representations, and uses AI to assess phishing risk, returning a detailed Jira ticket that streamlines investigation and remediation.
Scenario 2
IT administrators require consistent phishing incident reporting. The workflow extracts uniform email data, performs AI-driven analysis, and creates structured Jira issues with attachments, ensuring repeatable, deterministic phishing email management.
Scenario 3
Organizations want to reduce manual effort in phishing detection. This orchestration pipeline automates email visualization, AI analysis, and incident creation, enabling security teams to focus on threat resolution rather than data collection and formatting.
Comparison — Manual Process vs. Automation Workflow
| Attribute | Manual/Alternative | This Workflow |
|---|---|---|
| Steps required | Multiple manual steps: email retrieval, screenshot, analysis, ticket creation. | Fully automated end-to-end process from email receipt to Jira ticket. |
| Consistency | Variable based on human error and formatting differences. | Deterministic extraction and formatted AI analysis ensures uniform outputs. |
| Scalability | Limited by manual processing capacity and human resources. | Scales with email volume through automated polling and processing nodes. |
| Maintenance | Manual updates and error handling prone to delays and omissions. | Low maintenance using n8n’s modular nodes and default retry policies. |
Technical Specifications
| Environment | n8n workflow automation platform |
|---|---|
| Tools / APIs | Gmail API via OAuth2, hcti.io screenshot API, OpenAI ChatGPT-4, Jira Software Cloud API |
| Execution Model | Event-driven asynchronous pipeline with polling trigger |
| Input Formats | Gmail email JSON including HTML body, headers, subject, recipients |
| Output Formats | Jira ticket with wiki-formatted text and PNG image attachment |
| Data Handling | Transient processing with no persistent storage within workflow |
| Known Constraints | Relies on external APIs availability for screenshot and AI analysis |
| Credentials | OAuth2 for Gmail, HTTP Basic Auth for hcti.io, OAuth2 for Jira, OpenAI API key |
Implementation Requirements
- Valid OAuth2 credentials configured for Gmail API access.
- HTTP Basic Authentication credentials for hcti.io screenshot service.
- OpenAI API key with access to ChatGPT-4 model enabled for vision capability.
Configuration & Validation
- Ensure Gmail Trigger node is active and polling every minute without errors.
- Verify that email variable extraction nodes correctly assign HTML, headers, and metadata.
- Confirm successful screenshot generation and AI analysis nodes produce expected outputs.
Data Provenance
- Triggered by the “Gmail Trigger” node polling Gmail inbox every minute.
- Email content and header extraction performed in “Set Gmail Variables” and “Set Email Variables” nodes.
- Phishing analysis generated by “ChatGPT Analysis” node using OpenAI API with email screenshot and headers.
FAQ
How is the phishing email detection automation workflow triggered?
The workflow is triggered by the Gmail Trigger node which polls the Gmail inbox every minute to detect new incoming emails.
Which tools or models does the orchestration pipeline use?
This orchestration pipeline integrates Gmail API for email intake, hcti.io API for HTML screenshot generation, OpenAI’s ChatGPT-4 model with vision capabilities for AI analysis, and Jira API for issue creation.
What does the response look like for client consumption?
The output is a Jira ticket containing structured email details, a formatted AI phishing analysis in wiki-style text, and an attached PNG screenshot of the original email.
Is any data persisted by the workflow?
Data is processed transiently within the workflow, with no persistent storage; email content is only saved externally when attached to Jira tickets.
How are errors handled in this integration flow?
Error handling relies on n8n’s default retry mechanisms; no additional explicit error handling or backoff strategies are implemented.
Conclusion
This phishing email detection automation workflow delivers a dependable event-driven analysis pipeline that transforms incoming Gmail emails into actionable security insights. By combining HTML screenshot generation with AI-driven phishing assessment and automated Jira ticket creation, it streamlines incident reporting and enhances operational efficiency. The workflow depends on external API availability for screenshot generation and AI analysis, which should be considered in deployment planning. Its modular design supports extensibility and consistent, repeatable phishing detection without manual intervention.
Reviews
There are no reviews yet.