Democratizing suspicious email analysis with Tines and urlscan

Last updated on

Written by Eoin Hinchy

For security teams across the world, analyzing employee-reported phishing emails is a manual, time-consuming process that detracts from other, higher-impact and more engaging work.

Today we’re excited to announce, a free service, built in partnership with urlscan, that helps address this challenge by automating the analysis of suspicious emails.

How it works 

When you send a suspicious email to, either forwarded inline or as an attachment, the below Tines Story runs. Tines automation Story

‍The Story extracts all URLs in the suspicious email and submits them to urlscan. Once urlscan has finished analysing the URLs, Tines sends you a comprehensive report with information including:

  • Overall classification of the email

  • Sender reputation

  • List of all analyzed URLs with links to urlscan

  • List of all attachments with links to VirusTotal

Sample report for a suspicious email

‍Sharing malicious indicators with the community 

We’ve written previously about the value of sharing malicious indicators with the wider InfoSec community. When you send a malicious email to, the report contains an option to automatically share the links with various open-source threat intel providers.

When you click this link, a Tines prompt is executed and sent to TinesBot for distribution to the wider InfoSec community.

What's next? 

Try it! Visit or send a suspicious email to If you want to examine, modify or expand on the automation Story powering, it’s available for download here. Simply import it into your existing Tines tenant or access our free Community Edition of Tines here.

If you have feedback, questions or suggestions on, contact

Built by you, powered by Tines

Talk to one of our experts to learn the unique ways your business can leverage Tines.