Phishing_analysis__URLScan_io_and_Virustotal_

Phishing_analysis__URLScan_io_and_Virustotal automates the analysis of potential phishing URLs from unread emails in Microsoft Outlook. By integrating with URLScan.io and VirusTotal, it scans and evaluates URLs for malicious content, providing detailed reports via Slack. This workflow enhances cybersecurity by ensuring timely detection and response to phishing threats, streamlining the monitoring process with scheduled checks or manual execution.

7/8/2025
23 nodes
Complex
gchvocimoxoevnzpqpjkatvlsxxtre8uschedulecomplexslacksplitinbatchesmicrosoftoutlookschedule triggerurlscaniofiltersticky notewaitautomationadvancedcommunicationnotificationapiintegrationcronlogicconditional
Categories:
Communication & MessagingSchedule TriggeredComplex Workflow
Integrations:
SlackSplitInBatchesMicrosoftOutlookSchedule TriggerUrlScanIoFilterSticky NoteWait

Target Audience

Target Audience


- Cybersecurity Teams: Professionals responsible for monitoring and defending against phishing attacks.
- IT Administrators: Individuals managing email systems and security protocols within organizations.
- Email Users: Users who receive suspicious emails and want to ensure their safety.
- Developers: Those looking to integrate automated workflows into their security processes.
- Compliance Officers: Personnel ensuring adherence to security regulations and standards.

Problem Solved

Problem Solved


This workflow addresses the growing threat of phishing attacks by automating the analysis of suspicious URLs extracted from emails. It provides:
- Timely Detection: Quickly identifies potentially malicious links, reducing response time.
- Comprehensive Analysis: Utilizes URLScan.io and VirusTotal for detailed threat assessments.
- Automated Reporting: Sends alerts via Slack, ensuring that relevant teams are immediately informed of potential threats.

Workflow Steps

Workflow Steps


1. Trigger: The workflow can be executed manually or scheduled to run regularly, ensuring consistent monitoring.
2. Email Retrieval: Fetches all unread messages from Microsoft Outlook, ensuring only new threats are analyzed.
3. Mark as Read: Updates the status of emails to prevent reprocessing.
4. Indicator of Compromise Detection: Uses Python to extract URLs from email content, identifying potential threats.
5. URL Checks: Validates if the extracted URLs are present before proceeding with further analysis.
6. URL Scanning: Submits URLs to URLScan.io and VirusTotal for in-depth scanning and threat assessment.
7. Wait Period: Introduces a 1-minute pause to allow for report generation from URLScan.io.
8. Report Retrieval: Collects analysis reports from both scanning services.
9. Data Filtering: Ensures only complete and relevant reports are processed further.
10. Slack Notification: Sends a detailed message to a designated Slack channel, summarizing the findings and verdict of the analysis.

Customization Guide

Customization Guide


- Adjust Schedule: Modify the Schedule Trigger settings to change the frequency of automated checks according to your operational needs.
- Email Provider: Replace Microsoft Outlook nodes with your preferred email provider's nodes to adapt the workflow for different email systems.
- Slack Channel: Change the channelId in the sends slack message node to direct notifications to a different Slack channel.
- Batch Size: Alter the batchSize in the Split In Batches node to process multiple emails simultaneously, increasing efficiency.
- Error Handling: Customize error handling by modifying conditions in the No error? node to suit your organization's requirements.