Collect user reported phishing emails from a dedicated inbox, scan the .eml file with a threat engine, and post clear results to Slack. Security teams get faster triage and a simple view of matched rules so they can act quickly.

The flow starts with an IMAP email trigger that reads new messages and checks if an .eml attachment exists. If the file is present and the type is correct, the file is converted to a base64 string. That string is sent to Sublime Security for analysis using an HTTP request. A code step splits the returned rules into matched and unmatched lists. A message is then built with counts and rule names and sent to a Slack channel. If no attachment is found, a different Slack message alerts the team to review the report.

You will need access to an IMAP mailbox that receives reported phishing emails, a Sublime Security API token, and Slack access to post to a channel. After setup, most emails move from inbox to Slack in minutes with very little manual work. This is useful for SecOps teams that want fast, consistent phishing triage with minimal handling.

• IMAP trigger ingests new emails and pulls .eml attachments from a phishing inbox
• IF check verifies the attachment exists and has the correct message rfc822 type
• Binary to JSON step converts the .eml file to a base64 string for safe transport
• HTTP request sends the raw_message to Sublime Security with active detection rules
• Code step separates matched and unmatched rules for clear reporting
• Message formatting builds a readable Slack summary with counts and rule names
• Slack alert posts results to a chosen channel for fast team action
• Fallback Slack notice tells the team when a report lacks an attachment
• Manual trigger lets you test the analysis path without waiting for a new email

• Reduce phishing triage time from 20 minutes to under 2 minutes per email
• Automate up to 80 percent of repetitive review work for reported emails
• Cut false alerts from empty reports by checking for valid .eml files
• Handle up to 5 times more reports with the same team size
• Connect IMAP, Sublime Security and Slack in one clear workflow

1. Import the template into n8n: Create a new workflow in n8n > Click the three dots menu > Select 'Import from File' > Choose the downloaded JSON file.
2. You'll need accounts with IMAP Email, Slack and Sublime Security. See the Tools Required section above for links to create accounts with these services.
3. In the n8n credentials manager, create an IMAP Email credential. Enter your IMAP host, port, username and password. Enable SSL or TLS as required by your mail provider and select the mailbox that stores reported phishing emails.
4. Open the Email Trigger node and select the IMAP credential. Confirm the inbox or folder is correct and that attachments are available to the node.
5. In the credentials manager, create a new HTTP Header Auth credential for Sublime Security. Generate a bearer token in your Sublime Security account, then add an Authorization header with value Bearer YOUR_TOKEN.
6. Open the HTTP Request node and choose the Sublime Security credential. Confirm the URL is https://api.platform.sublimesecurity.com/v0/messages/analyze and the body uses the raw_message field from the data property.
7. Create a Slack credential in n8n. Double click each Slack node, pick the Slack credential, and select the channel where alerts should be posted.
8. Review the IF node conditions. It should check that attachment_0 exists and that the MIME type equals message/rfc822 to capture real .eml files.
9. Click Execute Workflow to test. Send a sample phishing report with an .eml attachment to the IMAP inbox and verify that a Slack message appears with matched and unmatched rule counts.
10. If you see the missing attachment alert, confirm the email includes a true .eml file and that it is arriving as attachment_0. Check MIME type and mailbox routing rules.
11. When testing looks good, activate the workflow in n8n so it runs continuously from the IMAP trigger.