Get Started
Screenshot of n8n workflow
FREE TEMPLATE
Automate IMAP Slack Incident Response
1
Views
0
Downloads
13
Nodes
Download Template
Free
Preview Template
Utility Rating
6 / 10
Business Function
IT
Automation Orchestrator
n8n
Integrations
Sublime Security
Slack
IMAP Email
Trigger Type
Manual trigger
On app event
Approx setup time ≈ 45 min
Need help setting up this template?
Ask in our free Futurise community
About
Community
Courses
Events
Members
Templates

How to Automate IMAP Slack Incident Response?

Leon Petrou
FREE TEMPLATE
Automate IMAP Slack Incident Response
1
Views
0
Downloads
13
Nodes
Download Template
Free
Preview Template
Utility Rating
6 / 10
Business Function
IT
Automation Orchestrator
n8n
Integrations
Sublime Security
Slack
IMAP Email
Trigger Type
Manual trigger
On app event
Approximate setup time ≈ 45 minutes
Need help setting up this template?
Ask in our free Futurise community

Description

Collect user reported phishing emails from a dedicated inbox, scan the .eml file with a threat engine, and post clear results to Slack. Security teams get faster triage and a simple view of matched rules so they can act quickly.

The flow starts with an IMAP email trigger that reads new messages and checks if an .eml attachment exists. If the file is present and the type is correct, the file is converted to a base64 string. That string is sent to Sublime Security for analysis using an HTTP request. A code step splits the returned rules into matched and unmatched lists. A message is then built with counts and rule names and sent to a Slack channel. If no attachment is found, a different Slack message alerts the team to review the report.

You will need access to an IMAP mailbox that receives reported phishing emails, a Sublime Security API token, and Slack access to post to a channel. After setup, most emails move from inbox to Slack in minutes with very little manual work. This is useful for SecOps teams that want fast, consistent phishing triage with minimal handling.

Copy link

Tools Required

Sublime Security
Sign up
Free tier: $0, EML Analyzer API (unauthenticated; no API key)
Slack
Sign up
Free plan: $0 / mo; limited to 10 apps (third-party or custom) and usable via Slack API
n8n
Sign up
$24 / mo or $20 / mo billed annually to use n8n in the cloud. However, the local or self-hosted n8n Community Edition is free.
IMAP Email
Sign up

What this workflow does?

  • IMAP trigger ingests new emails and pulls .eml attachments from a phishing inbox
  • IF check verifies the attachment exists and has the correct message rfc822 type
  • Binary to JSON step converts the .eml file to a base64 string for safe transport
  • HTTP request sends the raw_message to Sublime Security with active detection rules
  • Code step separates matched and unmatched rules for clear reporting
  • Message formatting builds a readable Slack summary with counts and rule names
  • Slack alert posts results to a chosen channel for fast team action
  • Fallback Slack notice tells the team when a report lacks an attachment
  • Manual trigger lets you test the analysis path without waiting for a new email

What are the benefits?

  • Reduce phishing triage time from 20 minutes to under 2 minutes per email
  • Automate up to 80 percent of repetitive review work for reported emails
  • Cut false alerts from empty reports by checking for valid .eml files
  • Handle up to 5 times more reports with the same team size
  • Connect IMAP, Sublime Security and Slack in one clear workflow

How to set this up?

  1. Import the template into n8n: Create a new workflow in n8n > Click the three dots menu > Select 'Import from File' > Choose the downloaded JSON file.
  2. You'll need accounts with IMAP Email, Slack and Sublime Security. See the Tools Required section above for links to create accounts with these services.
  3. In the n8n credentials manager, create an IMAP Email credential. Enter your IMAP host, port, username and password. Enable SSL or TLS as required by your mail provider and select the mailbox that stores reported phishing emails.
  4. Open the Email Trigger node and select the IMAP credential. Confirm the inbox or folder is correct and that attachments are available to the node.
  5. In the credentials manager, create a new HTTP Header Auth credential for Sublime Security. Generate a bearer token in your Sublime Security account, then add an Authorization header with value Bearer YOUR_TOKEN.
  6. Open the HTTP Request node and choose the Sublime Security credential. Confirm the URL is https://api.platform.sublimesecurity.com/v0/messages/analyze and the body uses the raw_message field from the data property.
  7. Create a Slack credential in n8n. Double click each Slack node, pick the Slack credential, and select the channel where alerts should be posted.
  8. Review the IF node conditions. It should check that attachment_0 exists and that the MIME type equals message/rfc822 to capture real .eml files.
  9. Click Execute Workflow to test. Send a sample phishing report with an .eml attachment to the IMAP inbox and verify that a Slack message appears with matched and unmatched rule counts.
  10. If you see the missing attachment alert, confirm the email includes a true .eml file and that it is arriving as attachment_0. Check MIME type and mailbox routing rules.
  11. When testing looks good, activate the workflow in n8n so it runs continuously from the IMAP trigger.

Need help or want to customize this?

Ask in the Free Futurise Community.

Similar Templates

n8n
IT
Automate IMAP to Slack Email Security Alerts
Collect DMARC reports from an inbox, store the data in MySQL, and alert your team in Slack when DKIM or SPF fail. It helps IT and security teams track email authentication problems without manual downloads or copy and paste. Weekly review time drops while visibility goes up. New emails with ZIP attachments arrive through IMAP. Files are unzipped, XML is read, and the content is converted to JSON. The flow splits multiple records inside one report, renames keys for consistency, maps fields, and formats start and end dates so the database accepts them. All records go into a MySQL table, and a check flags failed results and sends a Slack message and an email alert. Use a postmaster mailbox that receives DMARC aggregate reports. Add MySQL and Slack credentials, and confirm the database has the needed columns for the mapped fields. Expect faster incident response, fewer manual steps, and a complete history of reports for trend analysis and audits.
0 views
view
See More Templates

These templates were sourced from publicly available materials across the web, including n8n’s official website, YouTube and public GitHub repositories. We have consolidated and categorized them for easy search and filtering, and supplemented them with links to integrations, step-by-step setup instructions, and personalized support in the Futurise community. Content in this library is provided for education, evaluation and internal use. Users are responsible for checking and complying with the license terms with the author of the templates before commercial use or redistribution.Where an original author was identified, attribution has been provided. Some templates did not include author information. If you know who created this template, please let us know so we can add the appropriate credit and reference link. If you are the author and would like this template removed from the library, email us at info@futurise.com and we will remove it promptly.