Scan incoming Gmail attachments for threats with VirusTotal and GPT-4o-mini

Description

Who's it for

Small teams, solo operators, and security-conscious individuals who receive email attachments from external senders. Useful for freelancers, agencies, HR teams, and anyone handling CVs, invoices, or documents from unknown sources.

How it works

Every minute, the workflow polls Gmail for new unread emails with attachments. For each attachment, it calculates the SHA256 hash and queries VirusTotal for known-malware matches. In parallel, an AI model analyzes the email subject and body for phishing patterns. A rule-based scorer combines both signals into three threat levels: Danger (VirusTotal malicious count >= 3 OR AI detects phishing) triggers a Gmail quarantine label plus a Slack alert. Suspicious (partial hits) logs to a human review queue in Google Sheets. Safe saves the attachment to Google Drive. AI is used only for text classification — the final quarantine decision is always rule-based.

Set up steps

Get a free VirusTotal API key at virustotal.com
Create a Google Sheet named suspicious_queue with columns: timestamp, email_from, email_subject, attachment, malicious_count, ai_verdict
Create a Gmail label called QUARANTINE and a Google Drive folder for safe attachments
Open Set Configuration and fill in the Sheet ID, Drive folder ID, Slack channel, and label name
Connect Gmail, Sheets, Drive, Slack, OpenAI, and VirusTotal (Header Auth with x-apikey) credentials
Activate the workflow

How to customize

Adjust thresholds in the Code node, swap Slack for Discord or Teams, or add SPF and DKIM header checks before scanning.