This workflow follows the Emailreadimap → HTTP Request recipe pattern — see all workflows that pair these two integrations.
The workflow JSON
Copy or download the full n8n JSON below. Paste it into a new n8n workflow, add your credentials, activate. Full import guide →
{
"id": "84KL1bsi9OvbAapn",
"name": "Receive_and_analyze_emails_with_rules_in_Sublime_Security",
"tags": [
{
"id": "GCHVocImoXoEVnzP",
"name": "\ud83d\udee0\ufe0f In progress",
"createdAt": "2023-10-31T02:17:21.618Z",
"updatedAt": "2023-10-31T02:17:21.618Z"
},
{
"id": "QPJKatvLSxxtrE8U",
"name": "Secops",
"createdAt": "2023-10-31T02:15:11.396Z",
"updatedAt": "2023-10-31T02:15:11.396Z"
}
],
"nodes": [
{
"id": "b1ad1c9a-ba5d-46d6-9ce1-b3bb9346c766",
"name": "Email Trigger (IMAP)",
"type": "n8n-nodes-base.emailReadImap",
"position": [
720,
1120
],
"parameters": {
"format": "resolved",
"options": {}
},
"credentials": {
"imap": {
"name": "<your credential>"
}
},
"typeVersion": 2
},
{
"id": "e43b0257-0d83-4f7e-8824-3ca1d4cf6110",
"name": "Move Binary Data",
"type": "n8n-nodes-base.moveBinaryData",
"position": [
1240,
740
],
"parameters": {
"options": {
"encoding": "base64"
},
"sourceKey": "attachment_0",
"setAllData": false
},
"typeVersion": 1,
"alwaysOutputData": true
},
{
"id": "97359abc-7ca9-4599-9112-4416618d0c36",
"name": "IF email has attachment",
"type": "n8n-nodes-base.if",
"position": [
1020,
900
],
"parameters": {
"conditions": {
"string": [
{
"value1": "={{ $binary.attachment_0 }}",
"operation": "isNotEmpty"
},
{
"value1": "={{ $binary.attachment_0.mimeType }}",
"value2": "message/rfc822"
}
]
}
},
"typeVersion": 1
},
{
"id": "046f87e0-8759-4952-85be-78bf36a70994",
"name": "Split to matched and unmatched",
"type": "n8n-nodes-base.code",
"position": [
1760,
740
],
"parameters": {
"jsCode": "// Loop over input items and add a new field\n// called 'myNewField' to the JSON of each one\nmatched = []\nunmatched = [] \n\nfor (const item of $input.first().json.rule_results) {\n if (item.matched) {\n matched.push(item)\n } else {\n unmatched.push(item) \n }\n}\n\nreturn {\n json: {\n matched,\n unmatched\n }\n}"
},
"typeVersion": 1
},
{
"id": "f88b852d-f2a4-4d78-aaef-40050c0efef8",
"name": "When clicking \"Execute Workflow\"",
"type": "n8n-nodes-base.manualTrigger",
"position": [
720,
920
],
"parameters": {},
"typeVersion": 1
},
{
"id": "ce7288d4-61ec-4222-a29e-8a72ed2ee32e",
"name": "Slack",
"type": "n8n-nodes-base.slack",
"position": [
2260,
740
],
"parameters": {
"text": "={{ $json.message }}",
"select": "channel",
"channelId": {
"__rl": true,
"mode": "name",
"value": "#test-matti-tomi"
},
"otherOptions": {}
},
"credentials": {
"slackApi": {
"name": "<your credential>"
}
},
"typeVersion": 2.1
},
{
"id": "70c76c01-50ef-47a4-b552-bc6fea5079ed",
"name": "Format the message",
"type": "n8n-nodes-base.set",
"position": [
2040,
740
],
"parameters": {
"values": {
"string": [
{
"name": "message",
"value": "=No. of rules that matched {{ $json[\"matched\"].length }} / {{ $json[\"matched\"].length + $json[\"unmatched\"].length }}\n\nMatched rules:\n{{ $json[\"matched\"].pluck(\"rule\").pluck(\"name\").join('\\n') }}\n"
}
]
},
"options": {},
"keepOnlySet": true
},
"typeVersion": 2
},
{
"id": "52af4700-0dc5-4f5f-8664-97d2aacdab76",
"name": "Notify about missing attachment",
"type": "n8n-nodes-base.slack",
"position": [
2260,
920
],
"parameters": {
"text": "No attachment found in an email\n",
"select": "channel",
"channelId": {
"__rl": true,
"mode": "name",
"value": "#test-matti-tomi"
},
"otherOptions": {}
},
"credentials": {
"slackApi": {
"name": "<your credential>"
}
},
"typeVersion": 2.1
},
{
"id": "19be16c9-3908-4a2d-87e4-f721c33dc124",
"name": "Analyze email with Sublime Security",
"type": "n8n-nodes-base.httpRequest",
"position": [
1500,
740
],
"parameters": {
"url": "https://api.platform.sublimesecurity.com/v0/messages/analyze",
"method": "POST",
"options": {},
"jsonBody": "={\n \"raw_message\": \"{{ $json.data }}\",\n \"run_active_detection_rules\": true,\n \"run_all_detection_rules\": false\n}",
"sendBody": true,
"sendHeaders": true,
"specifyBody": "json",
"authentication": "genericCredentialType",
"genericAuthType": "httpHeaderAuth",
"headerParameters": {
"parameters": [
{
"name": "content-type",
"value": "application/json"
}
]
}
},
"credentials": {
"httpHeaderAuth": {
"name": "<your credential>"
}
},
"typeVersion": 3
},
{
"id": "a39d52d6-26e0-485e-8d32-984e26f71f9b",
"name": "Sticky Note1",
"type": "n8n-nodes-base.stickyNote",
"position": [
240,
298.6458865911087
],
"parameters": {
"width": 618.0312276650722,
"height": 963.8594737915395,
"content": "\n# Workflow Overview\nLeverage n8n's IMAP node to `seamlessly ingest emails as .eml attachments`, streamlining your security protocols and response strategies. \n\nThis setup is crucial for organizations utilizing platforms like Outlook, which offers a specialized security feature that designates specific inboxes for phishing attempts. \n\nWhen a phishing email is flagged through Outlook's interface, the system is designed to convert it into an .eml file and direct it to a dedicated phishing inbox. This process not only centralizes your phishing threat management but also ensures that each potential threat is queued for immediate and thorough analysis. \n\nBy integrating with n8n, you can automate the capture of these emails, transforming user-reported incidents into actionable data without manual intervention, enhancing your cybersecurity response and preserving your workflow's integrity.\n\n## Ingest emails as attachments as .eml file. \nSet your phishing email inbox here via your imap credentials. You can also replace this with any other node that retrieves emails as .eml attachments. "
},
"typeVersion": 1
},
{
"id": "3cb757ce-2083-44de-8508-89039c6bca9d",
"name": "Sticky Note2",
"type": "n8n-nodes-base.stickyNote",
"position": [
1444,
361
],
"parameters": {
"width": 503.7209302325584,
"height": 710.138909846923,
"content": "\n## Analyze Attachment and format output\nIf an attachment is detected, n8n facilitates its secure transfer to Sublime Security for detailed analysis. This automated process not only speeds up the threat detection mechanism but also formats the output for compatibility with other systems, such as Slack, ensuring a smooth and efficient workflow. \n\nThrough this automation, you're not just analyzing emails; you're fortifying your defense against cyber threats and enhancing operational efficiency with minimal user involvement."
},
"typeVersion": 1
},
{
"id": "83756b95-a3a8-4145-9d10-fc7e3b2121f8",
"name": "Sticky Note3",
"type": "n8n-nodes-base.stickyNote",
"position": [
1980,
354.9999999999999
],
"parameters": {
"width": 476.0465116279074,
"height": 777.0757733319455,
"content": "\n## Prep output for Slack Report\nn8n completes the cycle of threat analysis and communication by preparing and delivering comprehensive reports directly to your Slack channels. \n\nThis ensures that all stakeholders are immediately informed about potential threats, fostering a culture of transparency and prompt action. \n\nIn instances where no attachment is found, n8n proactively dispatches a notification to Slack, signaling your team to investigate further. "
},
"typeVersion": 1
},
{
"id": "a443e91b-6b0b-4fb8-b9d5-6f1d236da053",
"name": "Sticky Note4",
"type": "n8n-nodes-base.stickyNote",
"position": [
880,
360.90897077923785
],
"parameters": {
"width": 541.1627906976748,
"height": 715.8304363872012,
"content": "\n## Check for attachments and send to sublime if any found \nUpon receiving an email via the IMAP node, n8n executes a meticulous inspection to detect the presence of attachments. This is more than a mere check; it's an essential layer of your security posture to identify and handle potentially malicious content proactively. \n\nIf an attachment is found, the binary file is converted to JSON for further analysis. "
},
"typeVersion": 1
}
],
"active": false,
"settings": {
"executionOrder": "v1"
},
"versionId": "25aa0ca5-6e3c-44ed-98f9-37f62a78ed76",
"connections": {
"Move Binary Data": {
"main": [
[
{
"node": "Analyze email with Sublime Security",
"type": "main",
"index": 0
}
]
]
},
"Format the message": {
"main": [
[
{
"node": "Slack",
"type": "main",
"index": 0
}
]
]
},
"Email Trigger (IMAP)": {
"main": [
[
{
"node": "IF email has attachment",
"type": "main",
"index": 0
}
]
]
},
"IF email has attachment": {
"main": [
[
{
"node": "Move Binary Data",
"type": "main",
"index": 0
}
],
[
{
"node": "Notify about missing attachment",
"type": "main",
"index": 0
}
]
]
},
"Split to matched and unmatched": {
"main": [
[
{
"node": "Format the message",
"type": "main",
"index": 0
}
]
]
},
"When clicking \"Execute Workflow\"": {
"main": [
[
{
"node": "Move Binary Data",
"type": "main",
"index": 0
}
]
]
},
"Analyze email with Sublime Security": {
"main": [
[
{
"node": "Split to matched and unmatched",
"type": "main",
"index": 0
}
]
]
}
}
}
Credentials you'll need
Each integration node will prompt for credentials when you import. We strip credential IDs before publishing — you'll add your own.
httpHeaderAuthimapslackApi
For the full experience including quality scoring and batch install features for each workflow upgrade to Pro
How this works
This workflow streamlines email security by automatically receiving and analysing incoming messages against predefined rules in Sublime Security, helping security teams quickly identify potential threats without constant manual checks. It is ideal for organisations handling sensitive communications, such as finance or healthcare firms, that need to flag suspicious emails efficiently. The key step involves the Email Trigger (IMAP) node pulling new emails, followed by conditional checks and notifications via Slack to alert your team about matches or missing attachments.
Use this workflow when you want event-driven monitoring of emails for compliance or threat detection, especially if integrated with Sublime Security's rules engine. Avoid it for low-volume inboxes or scenarios requiring complex AI analysis, as it focuses on rule-based processing. Common variations include adding HTTP requests to fetch external threat intelligence or routing unmatched emails to a quarantine folder instead of Slack alerts.
About this workflow
Receive_and_analyze_emails_with_rules_in_Sublime_Security. Uses emailReadImap, moveBinaryData, manualTrigger, slack. Event-driven trigger; 13 nodes.
Source: https://github.com/Zie619/n8n-workflows — original creator credit. Request a take-down →
Related workflows
Workflows that share integrations, category, or trigger type with this one. All free to copy and import.
Webhook Slack. Uses theHiveProjectTrigger, stickyNote, httpRequest, theHiveProject. Event-driven trigger; 63 nodes.
Key Features: Direct Case Management: Modify case details such as assignee, severity, status, and more through intuitive form inputs embedded within Slack messages. Seamless Integration: Assumes match
This workflow collects a blog brief via an n8n form, uses Anthropic Claude to generate an outline and write each section, saves both outline and article as formatted Google Docs in Google Drive, then
Vendorbot Form Filler. Uses executeCommand, gmail, telegram, slack. Event-driven trigger; 39 nodes.
Transform your lead list into an AI-powered calling machine. This workflow automates your entire cold calling process using Vapi's conversational AI to initiate calls, qualify leads, capture detailed