[Project - Automated Email Protection Workflow - n8n]

Security Automation Email Security Threat Intelligence API Integration n8n Workflow Local Scanning

Workflow Diagram (Click to enlarge)

Automated Email Protection Workflow Diagram built with n8n

This visual workflow, created using the **n8n automation platform**, establishes a **layered defense system** for incoming emails. It automatically processes emails and runs three parallel checks to classify them as malicious, phishing, or containing a malicious attachment before isolating them from the user's inbox.

Layer 1: Malicious URL Detection

This branch integrates with the **URLHaus Database** to scan for URLs known to be immediately malicious.

**Action:** Queries the database for matches found in the email body.
**Response:** If a match is found, the email is automatically tagged with the **"Malicious"** label.
**Quarantine:** The email is **removed from the Inbox** view, effectively isolating the threat.

Layer 2: Phishing URL Analysis

URLs extracted from the email are fed into the **PhishTank Database** for comparison against known phishing campaigns.

**Action:** A dedicated step is used to **Extract URLs from Email** before querying PhishTank.
**Response:** If identified as phishing, the thread receives the **"Phishing"** label.
**Quarantine:** Like the malicious URL path, the email is **removed from the Inbox** view, isolating the threat.

Layer 3: Malicious Attachment Scanning (Secure & Local)

This robust final check processes files using an internal security tool, prioritizing data privacy.

**Secure Approach:** The entire attachment scanning process is performed **locally** by sending the file to a private **ClamAV** instance running on the internal network (`http://10.0.0.74`).
**Privacy Focus:** This local scanning method is critical because using public cloud services (like VirusTotal, Hybrid Analysis, or similar sandboxes) to scan attachments **exposes those files publicly**, which is highly unsafe for sensitive or proprietary data.
**Scanning:** The n8n workflow sends the file via **HTTP API** to the local **ClamAV** engine.
**Detection:** If the scan result confirms a threat, the email is labeled **"Malicious Attachment"** and removed from the inbox.

This project highlights practical expertise in **Security Automation**, **API integration with Threat Intelligence feeds**, and the implementation of a **proactive, multi-layered defense strategy** against common email vectors using a self-hosted automation platform like **n8n**, all while maintaining strict **data privacy** by keeping sensitive file scanning off public cloud services.