Phishing Response Automation Workflow - Email Parser Error


We are trying to create a workflow for Phishing Response Automation. In our environment when user finds an email suspicious they click a Phish Alert button in Outlook.
The suspicious email then forwarded to a particular mailbox as an .eml attachment. We pick the email, verify the contents - URLs, Domains, Attachments in various other sites and give reponse to user.

We want to automate a part of this process. We want to fetch these emails, Create a case in TheHive, parse the .eml file and separate the attachments URLs, Create observable in Thehive, Analyze the observable it with Cortex. Based on the detection if true then TheHive will send a response. We cannot use IMAP. We are using Outlook node with OAUTH.

Till now we have achived to fetch email, create case in Thehive. We can use node HTML extract to parse the URLs from the body content but then in our environment Outlook safe links is enabled and all the URLs in our email is bind with If we analyze this in Cortex then it will not scan the actual links but the

Fields where we need input:
. How to parse .eml file and separate all fields - Subject, Body Content in text format, URL, Domain, attachments? Cortex Eml Parser is working but not giving the result back in n8n. The result is visible in Cortex Application
. If extraction succeeded then how to remove the initial part of the URL which is
. How to attach the email attachments in TheHive as an observable?

n8n Version - 0.199, Database - SQLite, Self Hosted Docker Version

Our Workflow till now:

“meta”: {
“instanceId”: “c392a8b10f6346dd2a109a8610761351611931e29ed10ed8a474b4ced7915a34”
“nodes”: [],
“connections”: {}

Hi @saikatdas, looks like there already is an open issue for this on GitHub and Jon is currently waiting for feedback on another forum thread around this: Some Cortex Nodes are not running jobs - #8 by Jon

So, you might want to follow the existing threads. I am not familiar with the EML file structure nor am I a user of Cortex/TheHive so will unfortunately not be able to provide much help with building a workaround here :frowning: