Analyze Suspicious Email Contents with ChatGPT Vision
Automatically analyze suspicious email content and streamline incident response with this powerful n8n workflow. This automation connects your Gmail and Microsoft Outlook accounts to OpenAI's ChatGPT Vision, allowing you to visually inspect email content, create detailed Jira tickets, and attach relevant screenshots for your security or IT teams. When a suspicious email is manually triggered from either Gmail or Outlook, the workflow captures a screenshot of the email's HTML content, retrieves its headers, and then sends this visual and textual information to ChatGPT for an in-depth analysis of potential threats like phishing, malware, or spam. Based on ChatGPT's assessment, a new Jira ticket is automatically created, including all pertinent details and the email screenshot, ensuring that security incidents are logged and addressed promptly. This workflow is ideal for security analysts, IT administrators, and marketing teams who need to quickly identify and respond to malicious emails, significantly reducing manual investigation time and improving the efficiency of their incident management processes by centralizing suspicious email reporting and analysis.
Workflow JSON
{"meta": {"instanceId": "03e9d14e9196363fe7191ce21dc0bb17387a6e755dcc9acc4f5904752919dca8"}, "nodes": [{"id": "1bad6bfc-9ec9-48a5-b8f7-73c4de3d08cf", "name": "Gmail Trigger", "type": "n8n-nodes-base.gmailTrigger", "position": [1480, 160], "parameters": {"simple": false, "filters": {}, "options": {}, "pollTimes": {"item": [{"mode": "everyMinute"}]}}, "credentials": {"gmailOAuth2": {"id": "", "name": "[Your gmailOAuth2]"}}, "typeVersion": 1.2}, {"id": "9ac747a1-4fd8-46ba-b4c1-75fd17aab2ed", "name": "Microsoft Outlook Trigger", "type": "n8n-nodes-base.microsoftOutlookTrigger", "disabled": true, "position": [1480, 720], "parameters": {"fields": ["body", "toRecipients", "subject", "bodyPreview"], "output": "fields", "filters": {}, "options": {}, "pollTimes": {"item": [{"mode": "everyMinute"}]}}, "credentials": {"microsoftOutlookOAuth2Api": {"id": "", "name": "[Your microsoftOutlookOAuth2Api]"}}, "typeVersion": 1}, {"id": "5bf9b0e8-b84e-44a2-aad2-45dde3e4ab1b", "name": "Screenshot HTML", "type": "n8n-nodes-base.httpRequest", "position": [2520, 480], "parameters": {"url": "https://hcti.io/v1/image", "method": "POST", "options": {}, "sendBody": true, "sendQuery": true, "authentication": "genericCredentialType", "bodyParameters": {"parameters": [{"name": "html", "value": "={{ $json.htmlBody }}"}]}, "genericAuthType": "httpBasicAuth", "queryParameters": {"parameters": [{}]}}, "credentials": {"httpBasicAuth": {"id": "", "name": "[Your httpBasicAuth]"}}, "typeVersion": 4.2}, {"id": "fc770d1d-6c18-4d14-8344-1dc042464df6", "name": "Retrieve Screenshot", "type": "n8n-nodes-base.httpRequest", "position": [2700, 480], "parameters": {"url": "={{ $json.url }}", "options": {}, "authentication": "genericCredentialType", "genericAuthType": "httpBasicAuth"}, "credentials": {"httpBasicAuth": {"id": "", "name": "[Your httpBasicAuth]"}}, "typeVersion": 4.2}, {"id": "2f3e5cc0-24e8-450a-898b-71e2d6f7bb58", "name": "Set Outlook Variables", "type": "n8n-nodes-base.set", "position": [2020, 720], "parameters": {"options": {}, "assignments": {"assignments": [{"id": "38bd3db2-1a8d-4c40-a2dd-336e0cc84224", "name": "htmlBody", "type": "string", "value": "={{ $('Microsoft Outlook Trigger').item.json.body.content }}"}, {"id": "13bdd95b-ef02-486e-b38b-d14bd05a4a8a", "name": "headers", "type": "string", "value": "={{ $json}}"}, {"id": "20566ad4-7eb7-42b1-8a0d-f8b759610f10", "name": "subject", "type": "string", "value": "={{ $('Microsoft Outlook Trigger').item.json.subject }}"}, {"id": "7171998f-a5a2-4e23-946a-9c1ad75710e7", "name": "recipient", "type": "string", "value": "={{ $('Microsoft Outlook Trigger').item.json.toRecipients[0].emailAddress.address }}"}, {"id": "cc262634-2470-4524-8319-abe2518a6335", "name": "textBody", "type": "string", "value": "={{ $('Retrieve Headers of Email').item.json.body.content }}"}]}}, "typeVersion": 3.4}, {"id": "374e5b16-a666-4706-9fd2-762b2927012d", "name": "Set Gmail Variables", "type": "n8n-nodes-base.set", "position": [2040, 160], "parameters": {"options": {}, "assignments": {"assignments": [{"id": "38bd3db2-1a8d-4c40-a2dd-336e0cc84224", "name": "htmlBody", "type": "string", "value": "={{ $json.html }}"}, {"id": "18fbcf78-6d3c-4036-b3a2-fb5adf22176a", "name": "headers", "type": "string", "value": "={{ $json.headers }}"}, {"id": "1d690098-be2a-4604-baf8-62f314930929", "name": "subject", "type": "string", "value": "={{ $json.subject }}"}, {"id": "8009f00a-547f-4eb1-b52d-2e7305248885", "name": "recipient", "type": "string", "value": "={{ $json.to.text }}"}, {"id": "1932e97d-b03b-4964-b8bc-8262aaaa1f7a", "name": "textBody", "type": "string", "value": "={{ $json.text }}"}]}}, "typeVersion": 3.4}, {"id": "3166738e-d0a3-475b-8b19-51afd519ee3a", "name": "Retrieve Headers of Email", "type": "n8n-nodes-base.httpRequest", "position": [1680, 720], "parameters": {"url": "=https://graph.microsoft.com/v1.0/me/messages/{{ $json.id }}?$select=internetMessageHeaders,body", "options": {}, "sendHeaders": true, "authentication": "predefinedCredentialType", "headerParameters": {"parameters": [{"name": "Accept", "value": "application/json"}, {"name": "Prefer", "value": "outlook.body-content-type=\"text\""}]}, "nodeCredentialType": "microsoftOutlookOAuth2Api"}, "credentials": {"microsoftOutlookOAuth2Api": {"id": "", "name": "[Your microsoftOutlookOAuth2Api]"}}, "typeVersion": 4.2}, {"id": "25ae222c-088f-4565-98d6-803c8c1b0826", "name": "Format Headers", "type": "n8n-nodes-base.code", "position": [1860, 720], "parameters": {"jsCode": "const input = $('Retrieve Headers of Email').item.json.internetMessageHeaders;\n\nconst result = input.reduce((acc, { name, value }) => {\n if (!acc[name]) acc[name] = [];\n acc[name].push(value);\n return acc;\n}, {});\n\nreturn result;"}, "typeVersion": 2}, {"id": "8f14f267-1074-43ea-968d-26a6ab36fd7b", "name": "Set Email Variables", "type": "n8n-nodes-base.set", "position": [2360, 480], "parameters": {"options": {}, "includeOtherFields": true}, "typeVersion": 3.4}, {"id": "45d156aa-91f4-483c-91d4-c9de4a4f595d", "name": "ChatGPT Analysis", "type": "@n8n/n8n-nodes-langchain.openAi", "position": [3100, 480], "parameters": {"text": "=Describe this image. Determine if the email could be a phishing email. The message headers are as follows:\n{{ $('Set Email Variables').item.json.headers }}\n\nFormat the response for Jira who uses a wiki-style renderer. Do not include ``` around your response.", "modelId": {"__rl": true, "mode": "list", "value": "chatgpt-4o-latest", "cachedResultName": "CHATGPT-4O-LATEST"}, "options": {"maxTokens": 1500}, "resource": "image", "inputType": "base64", "operation": "analyze"}, "credentials": {"openAiApi": {"id": "", "name": "[Your openAiApi]"}}, "typeVersion": 1.6}, {"id": "62ca591b-6627-496c-96a7-95cb0081480d", "name": "Create Jira Ticket", "type": "n8n-nodes-base.jira", "position": [3500, 480], "parameters": {"project": {"__rl": true, "mode": "list", "value": "10001", "cachedResultName": "Support"}, "summary": "=Phishing Email Reported: \"{{ $('Set Email Variables').item.json.subject }}\"", "issueType": {"__rl": true, "mode": "list", "value": "10008", "cachedResultName": "Task"}, "additionalFields": {"description": "=A phishing email was reported by {{ $('Set Email Variables').item.json.recipient }} with the subject line \"{{ $('Set Email Variables').item.json.subject }}\" and body:\n{{ $('Set Email Variables').item.json.textBody }}\n\\\\\n\\\\\n\\\\\nh2. Here is ChatGPT's analysis of the email:\n{{ $json.content }}"}}, "credentials": {"jiraSoftwareCloudApi": {"id": "", "name": "[Your jiraSoftwareCloudApi]"}}, "typeVersion": 1}, {"id": "071380c8-8070-4f8f-86c6-87c4ee3bc261", "name": "Rename Screenshot", "type": "n8n-nodes-base.code", "position": [3680, 480], "parameters": {"mode": "runOnceForEachItem", "jsCode": "$('Retrieve Screenshot').item.binary.data.fileName = 'emailScreenshot.png'\n\nreturn $('Retrieve Screenshot').item;"}, "typeVersion": 2}, {"id": "05c57490-c1ee-48f0-9e38-244c9a995e22", "name": "Upload Screenshot of Email to Jira", "type": "n8n-nodes-base.jira", "position": [3860, 480], "parameters": {"issueKey": "={{ $('Create Jira Ticket').item.json.key }}", "resource": "issueAttachment"}, "credentials": {"jiraSoftwareCloudApi": {"id": "", "name": "[Your jiraSoftwareCloudApi]"}}, "typeVersion": 1}, {"id": "be02770d-a943-41f5-98a9-5c433a6a3dbf", "name": "Sticky Note", "type": "n8n-nodes-base.stickyNote", "position": [1420, -107.36679523834897], "parameters": {"color": 7, "width": 792.3026315789474, "height": 426.314163659402, "content": "\n## Gmail Integration and Data Extraction\n\nThis section of the workflow connects to a Gmail account using the **Gmail Trigger** node, capturing incoming emails in real-time, with checks performed every minute. Once an email is detected, its key components\u2014such as the subject, recipient, body, and headers\u2014are extracted and assigned to variables using the **Set Gmail Variables** node. These variables are structured for subsequent analysis and processing in later steps."}, "typeVersion": 1}, {"id": "c1d2f691-669a-46de-9ef8-59ce4e6980c5", "name": "Sticky Note1", "type": "n8n-nodes-base.stickyNote", "position": [1420, 380.6918768014301], "parameters": {"color": 7, "width": 792.3026315789474, "height": 532.3344389880435, "content": "\n## Microsoft Outlook Integration and Email Header Processing\n\nThis section connects to a Microsoft Outlook account to monitor incoming emails using the **Microsoft Outlook Trigger** node, which checks for new messages every minute. Emails are then processed to retrieve detailed headers and body content via the **Retrieve Headers of Email** node. The headers are structured into a user-friendly format using the **Format Headers** code node, ensuring clarity for further analysis. Key details, including the email's subject, recipient, and body content, are assigned to variables with the **Set Outlook Variables** node for streamlined integration into subsequent workflow steps."}, "typeVersion": 1}, {"id": "c189e2e0-9f51-4bc0-a483-8b7f0528be70", "name": "Sticky Note2", "type": "n8n-nodes-base.stickyNote", "position": [2287.3684210526317, 46.18421052631584], "parameters": {"color": 7, "width": 580.4605263157906, "height": 615.460526315789, "content": "\n## HTML Screenshot Generation and Email Visualization\n\nThis section processes an email\u2019s HTML content to create a visual representation, useful for documentation or phishing detection workflows. The **Set Email Variables** node organizes the email's HTML body into a format ready for processing. The **Screenshot HTML** node sends this HTML content to the **hcti.io** API, which generates a screenshot of the email's layout. The **Retrieve Screenshot** node then fetches the image URL for further use in the workflow. This setup ensures that the email's appearance is preserved in a visually accessible format, simplifying review and reporting. Keep in mind however that this exposes the email content to a third party. If you self host n8n, you can deploy a cli tool to rasterize locally instead."}, "typeVersion": 1}, {"id": "9076f9e9-f4fb-409a-9580-1ae459094c31", "name": "Sticky Note3", "type": "n8n-nodes-base.stickyNote", "position": [2880, 123.72476075009968], "parameters": {"color": 7, "width": 507.82894736842223, "height": 537.9199760920052, "content": "\n## AI-Powered Email Analysis with ChatGPT\n\nThis section leverages AI to analyze email content and headers for phishing indicators. The **ChatGPT Analysis** node utilizes the ChatGPT-4 model to review the email screenshot and associated metadata, including message headers. It generates a detailed report indicating whether the email might be a phishing attempt. The output is formatted specifically for Jira\u2019s wiki-style renderer, making it ready for seamless integration into ticketing workflows. This ensures thorough and automated email threat assessments."}, "typeVersion": 1}, {"id": "ca2488af-e787-4675-802a-8b4f2d845376", "name": "Sticky Note4", "type": "n8n-nodes-base.stickyNote", "position": [3400, 122.88662032580646], "parameters": {"color": 7, "width": 692.434210526317, "height": 529.5475902005091, "content": "\n## Automated Jira Ticket Creation for Phishing Reports\n\nThis section streamlines the process of reporting phishing emails by automatically creating detailed Jira tickets. The **Create Jira Ticket** node compiles email information, including the subject, recipient, body text, and ChatGPT's phishing analysis, into a structured ticket. The **Rename Screenshot** node ensures that the email screenshot file is appropriately labeled for attachment. Finally, the **Upload Screenshot of Email to Jira** node attaches the email\u2019s visual representation to the ticket, providing additional context for the security team. This integration ensures that phishing reports are logged with all necessary details, enabling efficient tracking and resolution."}, "typeVersion": 1}], "pinData": {}, "connections": {"Gmail Trigger": {"main": [[{"node": "Set Gmail Variables", "type": "main", "index": 0}]]}, "Format Headers": {"main": [[{"node": "Set Outlook Variables", "type": "main", "index": 0}]]}, "Screenshot HTML": {"main": [[{"node": "Retrieve Screenshot", "type": "main", "index": 0}]]}, "ChatGPT Analysis": {"main": [[{"node": "Create Jira Ticket", "type": "main", "index": 0}]]}, "Rename Screenshot": {"main": [[{"node": "Upload Screenshot of Email to Jira", "type": "main", "index": 0}]]}, "Create Jira Ticket": {"main": [[{"node": "Rename Screenshot", "type": "main", "index": 0}]]}, "Retrieve Screenshot": {"main": [[{"node": "ChatGPT Analysis", "type": "main", "index": 0}]]}, "Set Email Variables": {"main": [[{"node": "Screenshot HTML", "type": "main", "index": 0}]]}, "Set Gmail Variables": {"main": [[{"node": "Set Email Variables", "type": "main", "index": 0}]]}, "Set Outlook Variables": {"main": [[{"node": "Set Email Variables", "type": "main", "index": 0}]]}, "Microsoft Outlook Trigger": {"main": [[{"node": "Retrieve Headers of Email", "type": "main", "index": 0}]]}, "Retrieve Headers of Email": {"main": [[{"node": "Format Headers", "type": "main", "index": 0}]]}}}How to Import This Workflow
- 1Copy the workflow JSON above using the Copy Workflow JSON button.
- 2Open your n8n instance and go to Workflows.
- 3Click Import from JSON and paste the copied workflow.
Don't have an n8n instance? Start your free trial at n8nautomation.cloud
Related Templates
Summarize emails with A.I. then send to messenger
Automatically summarize incoming emails using artificial intelligence and then instantly share those summaries to your preferred messenger application with this efficient n8n workflow. This automation connects your IMAP email account to an AI summarization service via an HTTP Request, extracting key information from your messages. The summarized content is then sent to a messenger platform, also through an HTTP Request, ensuring important updates reach your team or personal devices without delay. Businesses can leverage this to quickly disseminate critical client communications, project updates, or urgent alerts from various email accounts directly to team chat channels, saving valuable time spent sifting through lengthy emails. This workflow significantly reduces manual effort in information processing and dissemination, allowing for faster decision-making and improved communication efficiency across your organization.
Send specific PDF attachments from Gmail to Google Drive using OpenAI
Automatically extract and categorize specific PDF attachments from incoming Gmail emails and upload them to designated Google Drive folders based on their content, leveraging OpenAI's advanced text analysis capabilities. This marketing workflow begins with the Gmail trigger "On email received," which then checks if the email "Has attachments?" If attachments are present, the workflow iterates through them, identifying if each is a PDF. For each identified PDF, the "Read PDF" node extracts its textual content. This content is then evaluated by the "Is text within token limit?" node to ensure it's suitable for OpenAI processing. If within limits, the "OpenAI matches PDF textual content" node analyzes the text against predefined criteria. Based on whether the PDF is "matched" by OpenAI, the "Upload file to folder" node in Google Drive stores the relevant PDFs, while unmatched or non-PDF attachments are handled accordingly. This workflow is ideal for marketing teams needing to automatically sort client contracts, campaign reports, or specific vendor invoices received via email, ensuring critical documents are filed correctly without manual intervention. It significantly reduces the time spent on document organization and improves data accessibility, allowing teams to focus on strategic marketing initiatives rather than administrative tasks.
Effortless Email Management with AI
Automate your email management by intelligently processing incoming messages, summarizing their content, and drafting personalized replies with AI. This powerful workflow connects your Gmail inbox via an IMAP trigger to a Text Classifier that categorizes emails, then uses OpenAI for summarization and drafting responses, and Qdrant for vector storage of relevant documents from Google Drive. It’s ideal for marketing teams, customer support, or busy professionals who need to efficiently handle high volumes of correspondence, saving significant time on reading, understanding, and responding to emails by leveraging AI to streamline communication and ensure timely, relevant replies. The system also allows for reviewing AI-generated drafts before sending, ensuring quality control while drastically reducing manual effort.