Keep your team safe by checking suspicious links in unread Outlook emails and sending clear alerts to Slack. Security and IT teams can use it to spot phishing faster, cut manual checks, and keep the inbox clean by marking messages as read after processing.

The flow starts on a schedule or by manual run. New unread emails are pulled from Outlook and marked as read. Messages are handled one by one using a batch loop. A small code step scans the email body for URLs. If a URL exists, it is sent to two scanners, urlscan.io and VirusTotal. The workflow waits briefly so reports can finish, then pulls the results and merges them. A filter keeps only complete results. A Slack message posts the subject, sender, date, and links to both reports so your team has facts in seconds.

Setup is simple with Outlook, Slack, VirusTotal, and urlscan.io accounts. Pick your Slack channel, set the schedule, and tune the wait time if you need more time for scans. Expect faster triage, fewer missed alerts, and more consistent checks. It fits service desks, security analysts, and managed service providers that need quick phishing decisions.

• Manual and scheduled starts to match business hours or run nonstop
• Pulls unread emails from Microsoft Outlook and marks them as read after capture
• Processes messages one at a time using Split In Batches for stable throughput
• Extracts URLs from email bodies with a code step that finds indicators of compromise
• Checks URLs with urlscan.io and waits before fetching the final report
• Submits the same URL to VirusTotal and retrieves the analysis report
• Merges urlscan.io and VirusTotal outputs into one combined result
• Filters out empty payloads to avoid noisy or partial Slack alerts
• Sends Slack messages that include subject, sender, date, and report links

• Reduce manual review from 60 minutes to 5 minutes per day by auto scanning links
• Automate over 90 percent of phishing triage for unread inbox items
• Improve decision accuracy with two independent scan sources
• Handle up to 5 times more suspicious emails with batch processing
• Connect Outlook and Slack so alerts reach the right channel fast
• Cut false alerts by filtering out incomplete or empty scan results

1. Import the template into n8n: Create a new workflow in n8n > Click the three dots menu > Select 'Import from File' > Choose the downloaded JSON file.
2. You'll need accounts with Microsoft Outlook, Slack, VirusTotal and urlscan.io. See the Tools Required section above for links to create accounts with these services.
3. Open the Get all unread messages node. In the Credential to connect with field, click Create new credential and follow the on screen steps to connect your Microsoft Outlook account. Choose the mailbox and folder you want to monitor.
4. Open the Mark as read node and confirm operation is Update and isRead is set to True so each email is processed once.
5. Open the Slack message node. In Credentials, click Create new credential and connect your Slack workspace with a Bot Token. Set the Channel to your security channel.
6. Open the urlscan.io nodes. In each, choose Create new credential and paste your urlscan.io API key from your account dashboard.
7. Open the VirusTotal nodes. Create a new VirusTotal API credential and paste your API key from the VirusTotal account settings.
8. Check the Split In Batches node and keep batch size at 1 for steady processing. Increase only if your rate limits allow it.
9. Open the Wait 1 Minute node and adjust the delay if your urlscan.io reports need more time to complete.
10. Configure the Schedule Trigger to the frequency you need, such as every 5 minutes during work hours.
11. Run a test: send an email with a test URL to the monitored mailbox. Click Execute Workflow. Confirm a Slack message appears with the subject, sender, and links to both reports.
12. If no alert is posted, check the Not empty filter and review execution data. Verify all credentials are valid and confirm API rate limits for urlscan.io and VirusTotal. If the code step fails to load dependencies, run again or replace with a simple URL regex as a fallback.