Scan URLs received by email

Supported in:

This document describes how to build a security automation workflow that extracts and scans URLs from inbound emails to detect phishing or malicious links. This process makes sure that any dangerous links are neutralized before they pose a risk, letting your playbook take immediate action, such as blocking the URL or quarantining the email.

Before you begin

You must have the following integration installed and configured in your environment:

  • Email Integration: Microsoft Graph Mail or Gmail (to read and extract data from the email/alert).
  • Reputation Integration: VirusTotal or a similar URL analysis tool.

To scan URLs received by email, you'll need to configure a connector that monitors an email box (with the Email or Exchange integrations).

Build the scan logic in your playbook

Use the following steps to build the scanning logic in your playbook:

  1. Use the email integration's action (for example, Gmail_Enrich Email) to get the full email body or event data. Use the Expression Builder to parse the email and extract the specific URL(s) you want to scan. For details, see Use the Expression Builder.
    When emails start coming into Google Security Operations SOAR, their content can be either parsed by the mapping feature or extracted by the Create Entity playbook action (if playbooks are attached to the incoming emails).
  2. Add your selected action (for example, VirusTotal_Scan URL) and use a placeholder to input the extracted URL from the previous step.
  3. Add a Condition flow immediately after the scan action. For details, see Use flows in playbooks.
  4. Configure the branches of the condition to evaluate the JSON Result from the reputation scan:
    • Branch 1 (Malicious): If Scan Result is reported as malicious (for example, score > 5, or specific engine found a threat).
    • Branch 2 (Clean/Unknown): If Scan Result is clean or if the condition fails to find malicious indicators.

Once all URLs are extracted, you can use them in manual actions and in playbooks.

Need more help? Get answers from Community members and Google SecOps professionals.