Gmail Phishing Detection with VirusTotal

Overview

The Gmail equivalent of the Outlook phishing playbook. Monitors a Gmail abuse mailbox (or any inbox you point it at), scans every URL and attachment with VirusTotal, and takes action on confirmed malicious content by deleting the email, preserving the IOCs, and posting a Slack alert to your security channel.

Who this is for: Security teams running Google Workspace as their primary email platform

Why automate this

Google Workspace-native SOCs need the same automated triage that Microsoft 365 shops get. This playbook gives Gmail-first organizations instant coverage of their phishing reporting pipeline with the same VirusTotal-powered verdict logic.

How it works

1. 01

   Poll the Gmail inbox via the Gmail API for new messages

2. 02

   Parse the email body to extract all URLs

3. 03

   Submit each URL to VirusTotal for a reputation check

4. 04

   Extract all attachments and hash them

5. 05

   Look up each hash in VirusTotal and sandbox unknown files

6. 06

   Compare VirusTotal verdicts against your policy threshold

7. 07

   On malicious verdict, delete the email and log the IOCs

8. 08

   Post a detailed Slack alert with the verdict and sender context

Impact

• Native Gmail API integration, no MX redirects or gateway changes

• Automated quarantine of known-bad messages

• Reduces mean-time-to-quarantine from hours to seconds

• Single Slack thread per incident for analyst handoff