The opportunities to use AI in workflow automation are many and varied, but one of the simplest ways to use AI to save time and enhance your organization's security posture is by building an automated SMS analysis service.

Workflow automation platform Tines provides a good example of how to do it. The vendor recently released their first native AI features, and security teams have already started sharing the AI-enhanced workflows they've built using the platform.

Tines' library of pre-built workflows includes AI-enhanced pre-built workflows for normalizing alerts, creating cases, and determining which phishing emails require escalations.

Let's take a closer look at their SMS analysis workflow, which, like all of their pre-built workflows, is free to access and import, and can be used with a free Community Edition account.

Here, we'll share an overview of the workflow, and a step-by-step guide for getting it up and running.

The problem - SMS scam messages targeted at employees

Employees often receive scam SMS messages designed to steal login credentials or install malware on devices. These messages can lead to compromised accounts, unauthorized access to sensitive information, and potential breaches that could cause significant harm to the organization's operations and reputation.

Responding to each report manually can be time-consuming and error-prone, making it difficult for security teams to keep up with the volume of threats.

The solution - an automated SMS analysis service

A web page with a form inviting employees to submit the message for analysis

Using workflow automation, security teams can create an SMS analysis service that any employee across the organization can use.

It operates as a simple self-service model. When employees receive a suspicious message, they visit the web page and submit a screenshot of the message or a URL using the provided form. This form kicks off the workflow and they get a response within a couple of seconds. The response includes a clear and detailed analysis of the message and some recommended next steps.

Here's an example of the image they might submit:

Here's an example of the result they might receive:

The automated analysis received by the employee

The text reads:

Hi! Thanks for reporting the message. I've analyzed the content and have a few observations:

The message claims that your Amazon account has been locked due to multiple failed login attempts. This is a common tactic used in phishing scams, where attackers try to trick you into clicking on a malicious link to "recover" your account.

The message has a sense of urgency, which is another red flag for phishing attempts. Legitimate companies typically don't demand immediate action in this manner.

The link provided in the message (hxxp://s953909557/servweb) appears to be suspicious. I've defanged the link, but I would strongly advise against clicking on it, as it could lead to a malicious website designed to steal your login credentials or install malware on your device.

Additionally, the message does not appear to be from any of our senior executives [executive names here]. This could be an attempt at CEO fraud, where someone is impersonating a senior leader to request sensitive information or perform unauthorized actions.

In summary, this message exhibits several characteristics of a common phishing scam and should be treated with caution. I recommend that you do not click on the provided link and instead contact Amazon directly through their official website or customer service channels to verify the status of your account.

Please let me know if you have any other questions or concerns. I'm here to help ensure the security of our organization.

Here are some of the key benefits of launching a service like this:

  • It promotes a culture of cybersecurity by making it easy for employees to be vigilant and reinforces security-conscious decision-making
  • It reduces manual, repetitive work for the security team
  • It improves the speed and accuracy of threat detection
The pre-built workflow as it appears in the Tines library

Workflow overview

This workflow uses Tines Pages to create an automated SMS analysis service that anyone in the organization can use.

Tools used:

  • Tines - a workflow automation and orchestration platform that's popular with security teams. It's possible to use the free Community Edition of Tines to build and run this workflow if you don't have a paid account. AI must be enabled on your tenant. Note that AI action usage is based on a credits system but there is a free credit allowance on all accounts.
  • OCR - a free tool that parses images and multi-page PDF documents and returns the extracted text results in a JSON format. Pro plans with larger usage allowances are also available.

The workflow is kicked off by a submission on a Tines page, which includes a form where users can submit an image of an SMS message or a relevant URL.

The workflow then uses OCR to extract the text. If the image exceeds the file size limit, it's resized using the Automatic Mode transformation action, which invokes a small piece of Python code that has been generated by AI in Tines.

The workflow also fetches the image if the provided input is a URL. If the image was uploaded, it renames the image to match the required format.

Once the text is extracted, it's then sent to the AI action for analysis. The AI prompt asks the language model to analyze it for potential scam indicators and defang any links.

Here's the AI prompt the Tines team used to create the workflow:

You are a virtual Security Analyst analyzing a suspicious SMS reported to you. The screenshot of the SMS has been OCR'd by you.

Reply to the user submitting the SMS with the analysis. You should be analyzing it for tone and for common scams like phishing, romance scams, fake invoice, fake tickets, and dozens of others.

As this is an internal tool, the primary worry is CEO Fraud where someone might be impersonating a senior executive. The Senior Executives in this company are [provide executive names and titles here].

If you are including any links in the response that may be suspicious, make sure you defang them.

Begin with:

"Hi! Thanks for reporting the Message..."

The AI action forms a response to the user including analysis - whether or not the message appears to be malicious - and recommended next steps - don't click the link, etc.

If, for some reason, the analysis fails, the user will receive a message prompting them to try again or contact the security team.

Configuring the workflow - step-by-step guide

The Tines Community Edition sign-up form

1. Log into Tines or create a new account.

2. Ensure AI is enabled on your tenant. For this, you need to be the tenant owner. Select the account settings drop-down in the top left of your screen, and check the box to turn AI on.

The OCR Space sign-up form
Adding a new credential in Tines

3. Create your OCR credential. Set up an OCR API account if you don't have one already and get the API key for your account. From the credentials page, select New credential. You will then be prompted to choose the credential type (in this case, Text) and complete the required fields. Name the credential "ocr_space" to automatically connect the credential to the workflow.

Importing a story from the library to your tenant

4. Navigate to the pre-built workflow in the library.

The workflow on Tines' drag-and-drop canvas

5. Select import. This should take you straight to your new pre-built workflow.

Editing the Tines page
Customizing the AI prompt

6. Configure your actions. For example, you may like to edit the layout of the Tines page that kicks off the workflow, and customize the AI prompt with the names of executives at your company.

7. Test the workflow. Submit an image via the form to test your workflow.

8. Publish your workflow and share the Page URL with your desired users.

Building in other automation platforms

You could use another no-code automation platform to build a similar service, although it's worth noting that some of the features in this workflow are unique to Tines:

  • Pages: This workflow is kicked off by a submission to a form on a web page, and the output is delivered via the same web page. This is built using Tines' Pages feature.
    • Alternative: Receive information and deliver results via email.
  • The AI Action: Tines' AI action is unique in that it allows users to directly access and use a language model at any point in their workflow while offering robust security guardrails. There's no training, logging, inspecting, or storing of data that enters or exits the language model.
    • Alternative: Connect to an external LLM like ChatGPT for analysis, but be sure to evaluate the security and privacy features of whatever model you plan to use if sensitive data will be passed through.
  • Event Transform in Automatic Mode: This feature uses build-time AI to compose Python code based on the guidance and the input the builder provides. Once you save your changes, the code is locked in place. This means that when the action runs, only the code executes, and no AI is involved.
    • Alternative: Write Python code manually to transform your data.

If you'd like to explore AI in Tines for yourself or test out this workflow, you can sign up for a free account including AI functionality.


Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter and LinkedIn to read more exclusive content we post.