Outlook Phishing Detection with VirusTotal

Overview

When a new email arrives in a monitored Outlook inbox (typically a shared abuse@ mailbox), this playbook extracts URLs and attachments, scans them against VirusTotal, and takes automatic action on confirmed threats. Deletes malicious messages, preserves evidence, and alerts the security team in Slack.

Who this is for: Email security analysts and SOCs protecting Microsoft 365 Outlook environments

Why automate this

User-reported phishing is still the #1 entry point for attackers. Most SOCs handle 50-200 abuse@ reports per day, and manually analyzing each one is impossible. Automating the VirusTotal lookup catches obvious threats instantly and lets analysts focus on the suspicious grey-area messages.

How it works

1. 01

   Poll the Outlook inbox for new messages at a configurable interval

2. 02

   Extract email metadata, body URLs, and attachments

3. 03

   Submit each URL to VirusTotal for reputation scoring

4. 04

   Upload attachments to VirusTotal for hash lookup and sandbox scanning

5. 05

   Check the VirusTotal verdicts against your severity threshold

6. 06

   If a match is found, delete the email from the inbox

7. 07

   Notify the #sec-phishing Slack channel with sender, verdict, and indicators

8. 08

   Store the IOCs in your threat intel store for future correlation

Impact

• 99%+ of known-malicious phishing caught automatically

• Cuts analyst triage time per email from ~10min to seconds

• Quarantines confirmed phishing before users click

• Builds an internal IOC list from real observed threats