n8n Workflow
Advanced

Automated Email Threat Analysis with Sublime Security and Slack

Automate your email security operations by analyzing incoming emails and attachments with Sublime Security. This n8n workflow fetches emails via IMAP, sends them for threat analysis, and reports the results directly to Slack.

Overview

Automates the analysis of suspicious emails by fetching them via IMAP, sending them to Sublime Security for rule-based evaluation, and delivering a summary of findings to a Slack channel.

🧠 Description & Use Case

This workflow automates the process of analyzing suspicious emails, particularly those reported for phishing, by integrating an IMAP email inbox with Sublime Security for threat analysis and Slack for real-time notifications.

🔄 How It Works:

  1. Ingest Email: The workflow starts when a new email arrives in a specified inbox, using the Email Trigger (IMAP) node. This is ideal for monitoring a dedicated phishing@ or security@ mailbox where users forward suspicious emails.
  2. Verify Attachment: An IF node checks if the email contains an attachment, specifically an .eml file (mime type message/rfc822), which is a common format for forwarded phishing reports.
  3. Analyze with Sublime Security:
    • If an .eml attachment is found, the Move Binary Data node prepares it and the HttpRequest node sends it to the Sublime Security API for a full analysis against its detection rules.
    • If no attachment is present, a notification is sent to Slack to alert the team.
  4. Process and Report:
    • The results from Sublime Security are parsed by a Code node, which separates the security rules that matched from those that didn't.
    • The Set node formats these results into a clear, concise summary.
  5. Notify on Slack: The final summary, including the number of matched rules and their names, is sent to a designated Slack channel, providing immediate visibility to the security team.

✅ Real-World Use Cases:

  • Phishing Triage Automation: Automatically analyze emails reported by users to a phishing inbox, reducing manual effort and response time for SecOps teams.
  • Real-time Threat Alerting: Get instant notifications in Slack the moment a potentially malicious email is detected and analyzed, allowing for faster incident response.
  • Streamlined Security Workflows: Centralize your phishing threat management by transforming user-reported incidents into actionable, analyzed data without manual intervention.
  • Enhanced Operational Efficiency: Fortify your defense against cyber threats by speeding up the detection mechanism and ensuring all stakeholders are promptly informed.

Instructions

Basic steps

  1. Download workflow JSON
  2. Import into n8n
  3. Configure node parameters as needed
  4. Test and enable the workflow

💡 Tips

After importing, verify all connectors and credentials match your environment.

Preview

Workflow Visualization

13 nodes
100%
Email Trigger (IMAP)emailReadImapMove Binary DatamoveBinaryDataIF email has attachmentifSplit to matched and unmatchedcodeWhen clicking "Execute Workflow"manualTriggerSlackslackFormat the messagesetNotify about missing attachmentslackAnalyze email with Sublime SecurityhttpRequestSticky Note1stickyNoteSticky Note2stickyNoteSticky Note3stickyNoteSticky Note4stickyNote

Nodes

1

Email Trigger (IMAP)

emailReadImap

v2
2

Move Binary Data

moveBinaryData

v1
3

IF email has attachment

if

v1
4

Split to matched and unmatched

code

v1
5

When clicking "Execute Workflow"

manualTrigger

v1
6

Slack

slack

v2.1
7

Format the message

set

v2
8

Notify about missing attachment

slack

v2.1
9

Analyze email with Sublime Security

httpRequest

v3
10

Sticky Note1

stickyNote

v1
11

Sticky Note2

stickyNote

v1
12

Sticky Note3

stickyNote

v1
13

Sticky Note4

stickyNote

v1

Statistics

Total nodes:13
Disabled nodes:0
Node types:9
Connections:7
View full JSON structure
{
  "nodes": [
    {
      "id": "b1ad1c9a-ba5d-46d6-9ce1-b3bb9346c766",
      "name": "Email Trigger (IMAP)",
      "type": "n8n-nodes-base.emailReadImap",
      "position": [
        720,
        1120
      ],
      "parameters": {
        "format": "resolved",
        "options": {}
      },
      "credentials": {
        "imap": {
          "id": "BDCrQbPFgl8k3ArL",
          "name": "Matti Outlook email"
        }
      },
      "typeVersion": 2
    },
    {
      "id": "e43b0257-0d83-4f7e-8824-3ca1d4cf6110",
      "name": "Move Binary Data",
      "type": "n8n-nodes-base.moveBinaryData",
      "position": [
        1240,
        740
      ],
      "parameters": {
        "options": {
          "encoding": "base64"
        },
        "sourceKey": "attachment_0",
        "setAllData": false
      },
      "typeVersion": 1,
      "alwaysOutputData": true
    },
    {
      "id": "97359abc-7ca9-4599-9112-4416618d0c36",
      "name": "IF email has attachment",
      "type": "n8n-nodes-base.if",
      "position": [
        1020,
        900
      ],
      "parameters": {
        "conditions": {
          "string": [
            {
              "value1": "={{ $binary.attachment_0 }}",
              "operation": "isNotEmpty"
            },
            {
              "value1": "={{ $binary.attachment_0.mimeType }}",
              "value2": "message/rfc822"
            }
          ]
        }
      },
      "typeVersion": 1
    },
    {
      "id": "046f87e0-8759-4952-85be-78bf36a70994",
      "name": "Split to matched and unmatched",
      "type": "n8n-nodes-base.code",
      "position": [
        1760,
        740
      ],
      "parameters": {
        "jsCode": "// Loop over input items and add a new field\n// called 'myNewField' to the JSON of each one\nmatched = []\nunmatched = []  \n\nfor (const item of $input.first().json.rule_results) {\n  if (item.matched) {\n    matched.push(item)\n  } else {\n    unmatched.push(item)    \n  }\n}\n\nreturn {\n  json: {\n    matched,\n    unmatched\n  }\n}"
      },
      "typeVersion": 1
    },
    {
      "id": "f88b852d-f2a4-4d78-aaef-40050c0efef8",
      "name": "When clicking \"Execute Workflow\"",
      "type": "n8n-nodes-base.manualTrigger",
      "position": [
        720,
        920
      ],
      "parameters": {},
      "typeVersion": 1
    },
    {
      "id": "ce7288d4-61ec-4222-a29e-8a72ed2ee32e",
      "name": "Slack",
      "type": "n8n-nodes-base.slack",
      "position": [
        2260,
        740
      ],
      "parameters": {
        "text": "={{ $json.message }}",
        "select": "channel",
        "channelId": {
          "__rl": true,
          "mode": "name",
          "value": "#test-matti-tomi"
        },
        "otherOptions": {}
      },
      "credentials": {
        "slackApi": {
          "id": "180",
          "name": "Awesom-O"
        }
      },
      "typeVersion": 2.1
    },
    {
      "id": "70c76c01-50ef-47a4-b552-bc6fea5079ed",
      "name": "Format the message",
      "type": "n8n-nodes-base.set",
      "position": [
        2040,
        740
      ],
      "parameters": {
        "values": {
          "string": [
            {
              "name": "message",
              "value": "=No. of rules that matched {{ $json[\"matched\"].length }} / {{ $json[\"matched\"].length + $json[\"unmatched\"].length }}\n\nMatched rules:\n{{ $json[\"matched\"].pluck(\"rule\").pluck(\"name\").join('\\n') }}\n"
            }
          ]
        },
        "options": {},
        "keepOnlySet": true
      },
      "typeVersion": 2
    },
    {
      "id": "52af4700-0dc5-4f5f-8664-97d2aacdab76",
      "name": "Notify about missing attachment",
      "type": "n8n-nodes-base.slack",
      "position": [
        2260,
        920
      ],
      "parameters": {
        "text": "No attachment found in an email\n",
        "select": "channel",
        "channelId": {
          "__rl": true,
          "mode": "name",
          "value": "#test-matti-tomi"
        },
        "otherOptions": {}
      },
      "credentials": {
        "slackApi": {
          "id": "180",
          "name": "Awesom-O"
        }
      },
      "typeVersion": 2.1
    },
    {
      "id": "19be16c9-3908-4a2d-87e4-f721c33dc124",
      "name": "Analyze email with Sublime Security",
      "type": "n8n-nodes-base.httpRequest",
      "position": [
        1500,
        740
      ],
      "parameters": {
        "url": "https://api.platform.sublimesecurity.com/v0/messages/analyze",
        "method": "POST",
        "options": {},
        "jsonBody": "={\n  \"raw_message\": \"{{ $json.data }}\",\n  \"run_active_detection_rules\": true,\n  \"run_all_detection_rules\": false\n}",
        "sendBody": true,
        "sendHeaders": true,
        "specifyBody": "json",
        "authentication": "genericCredentialType",
        "genericAuthType": "httpHeaderAuth",
        "headerParameters": {
          "parameters": [
            {
              "name": "content-type",
              "value": "application/json"
            }
          ]
        }
      },
      "credentials": {
        "httpHeaderAuth": {
          "id": "buIfmuHDZZQ2MyYz",
          "name": "Sublime Security bearer token"
        }
      },
      "typeVersion": 3
    },
    {
      "id": "a39d52d6-26e0-485e-8d32-984e26f71f9b",
      "name": "Sticky Note1",
      "type": "n8n-nodes-base.stickyNote",
      "position": [
        240,
        298.6458865911087
      ],
      "parameters": {
        "width": 618.0312276650722,
        "height": 963.8594737915395,
        "content": "![imap](https://i.imgur.com/lVqCPYb.png)\n# Workflow Overview\nLeverage n8n's IMAP node to `seamlessly ingest emails as .eml attachments`, streamlining your security protocols and response strategies. \n\nThis setup is crucial for organizations utilizing platforms like Outlook, which offers a specialized security feature that designates specific inboxes for phishing attempts. \n\nWhen a phishing email is flagged through Outlook's interface, the system is designed to convert it into an .eml file and direct it to a dedicated phishing inbox. This process not only centralizes your phishing threat management but also ensures that each potential threat is queued for immediate and thorough analysis. \n\nBy integrating with n8n, you can automate the capture of these emails, transforming user-reported incidents into actionable data without manual intervention, enhancing your cybersecurity response and preserving your workflow's integrity.\n\n## Ingest emails as attachments as .eml file. \nSet your phishing email inbox here via your imap credentials. You can also replace this with any other node that retrieves emails as .eml attachments. "
      },
      "typeVersion": 1
    },
    {
      "id": "3cb757ce-2083-44de-8508-89039c6bca9d",
      "name": "Sticky Note2",
      "type": "n8n-nodes-base.stickyNote",
      "position": [
        1444,
        361
      ],
      "parameters": {
        "width": 503.7209302325584,
        "height": 710.138909846923,
        "content": "![Sublime Security](https://i.imgur.com/DfXJLIw.png)\n## Analyze Attachment and format output\nIf an attachment is detected, n8n facilitates its secure transfer to Sublime Security for detailed analysis. This automated process not only speeds up the threat detection mechanism but also formats the output for compatibility with other systems, such as Slack, ensuring a smooth and efficient workflow. \n\nThrough this automation, you're not just analyzing emails; you're fortifying your defense against cyber threats and enhancing operational efficiency with minimal user involvement."
      },
      "typeVersion": 1
    },
    {
      "id": "83756b95-a3a8-4145-9d10-fc7e3b2121f8",
      "name": "Sticky Note3",
      "type": "n8n-nodes-base.stickyNote",
      "position": [
        1980,
        354.9999999999999
      ],
      "parameters": {
        "width": 476.0465116279074,
        "height": 777.0757733319455,
        "content": "![Slack](https://i.imgur.com/iKyMV0N.png)\n## Prep output for Slack Report\nn8n completes the cycle of threat analysis and communication by preparing and delivering comprehensive reports directly to your Slack channels. \n\nThis ensures that all stakeholders are immediately informed about potential threats, fostering a culture of transparency and prompt action. \n\nIn instances where no attachment is found, n8n proactively dispatches a notification to Slack, signaling your team to investigate further. "
      },
      "typeVersion": 1
    },
    {
      "id": "a443e91b-6b0b-4fb8-b9d5-6f1d236da053",
      "name": "Sticky Note4",
      "type": "n8n-nodes-base.stickyNote",
      "position": [
        880,
        360.9089707792378
      ],
      "parameters": {
        "width": 541.1627906976748,
        "height": 715.8304363872012,
        "content": "![n8n](https://i.imgur.com/lKnBNnH.png)\n## Check for attachments and send to sublime if any found \nUpon receiving an email via the IMAP node, n8n executes a meticulous inspection to detect the presence of attachments. This is more than a mere check; it's an essential layer of your security posture to identify and handle potentially malicious content proactively. \n\nIf an attachment is found, the binary file is converted to JSON for further analysis. "
      },
      "typeVersion": 1
    }
  ],
  "connections": {
    "Move Binary Data": {
      "main": [
        [
          {
            "node": "Analyze email with Sublime Security",
            "type": "main",
            "index": 0
          }
        ]
      ]
    },
    "Format the message": {
      "main": [
        [
          {
            "node": "Slack",
            "type": "main",
            "index": 0
          }
        ]
      ]
    },
    "Email Trigger (IMAP)": {
      "main": [
        [
          {
            "node": "IF email has attachment",
            "type": "main",
            "index": 0
          }
        ]
      ]
    },
    "IF email has attachment": {
      "main": [
        [
          {
            "node": "Move Binary Data",
            "type": "main",
            "index": 0
          }
        ],
        [
          {
            "node": "Notify about missing attachment",
            "type": "main",
            "index": 0
          }
        ]
      ]
    },
    "Split to matched and unmatched": {
      "main": [
        [
          {
            "node": "Format the message",
            "type": "main",
            "index": 0
          }
        ]
      ]
    },
    "When clicking \"Execute Workflow\"": {
      "main": [
        [
          {
            "node": "Move Binary Data",
            "type": "main",
            "index": 0
          }
        ]
      ]
    },
    "Analyze email with Sublime Security": {
      "main": [
        [
          {
            "node": "Split to matched and unmatched",
            "type": "main",
            "index": 0
          }
        ]
      ]
    }
  }
}

Actions

Share
Categories:
Tags:
manualtriggerifsetslackhttprequestmovebinarydatastickynotecodeemailreadimap

Technical Specs

Complexity:
Advanced
Node Count:
13 nodes
Published:11 months ago
Updated:3 months ago

Compatibility

Platform:
N8N Cloud & Self-hosted
Min Version:
N8N v1.0.0+
Supports cloud and self-hosted deployment

License

This workflow template follows MIT license, you can freely use, modify and distribute.

Please comply with relevant third-party service terms when using.

Related Workflows