Cybersecurity researchers have identified a growing trend where attackers are exploiting the capabilities of n8n, a widely adopted workflow automation platform, to execute phishing campaigns and deliver malware. By misusing legitimate infrastructure, threat actors are able to operate under the guise of trusted services, significantly reducing the likelihood of detection.
According to recent findings from Cisco Talos, this activity has been ongoing since late 2025. The attackers are taking advantage of n8n’s flexible automation features, particularly its webhook functionality, to build efficient and scalable attack chains.
n8n is designed to simplify integration between applications, APIs, and services. It allows users to create automated workflows hosted on cloud-based subdomains, typically formatted as “.app.n8n.cloud.” While this architecture is intended to streamline development and operations, it also introduces a level of trust that attackers are now exploiting.
The primary vector in these campaigns is the webhook feature. Webhooks act as endpoints that receive data and trigger predefined workflows. In legitimate use, they enable real-time communication between systems. However, when embedded into phishing emails, these same endpoints can be repurposed as delivery mechanisms for malicious content.
When a recipient clicks on a webhook link, their browser processes the response as if it were coming from a legitimate application. This behavior creates a convincing illusion, making it difficult for both users and security tools to distinguish between benign and malicious activity.
The scale of this abuse has increased rapidly. Researchers noted a substantial rise in phishing emails containing n8n webhook URLs, indicating that attackers are actively adopting this technique due to its effectiveness.
One notable campaign involved emails disguised as document-sharing notifications. Victims who clicked on the embedded link were directed to a webpage that displayed a CAPTCHA verification step. After completing the CAPTCHA, a malicious file was automatically downloaded from an external server.
Because the entire interaction is handled within the webpage using JavaScript, the download appears to originate from the n8n domain itself. This significantly enhances the credibility of the attack and reduces the chances of it being flagged as suspicious.
The payloads delivered in these campaigns often include executable files or MSI installers. These installers are typically used to deploy modified versions of legitimate remote monitoring and management tools, such as Datto or ITarian. Once installed, these tools provide attackers with persistent access to the compromised system and allow communication with command-and-control servers.
In addition to delivering malware, attackers are also using n8n webhooks for reconnaissance. By embedding invisible tracking elements within emails, they can gather information about recipients. When an email is opened, the tracking element sends a request to the webhook URL, revealing details such as the recipient’s email address and confirming that the message has been viewed.
This technique allows attackers to identify active targets and refine their campaigns accordingly. It also enables them to collect intelligence passively, without requiring explicit user interaction.
The misuse of n8n highlights a broader issue in cybersecurity. As automation platforms become more accessible and powerful, they are increasingly being repurposed for malicious activities. The same features that make these tools valuable for developers also make them attractive to attackers.
To address this challenge, organizations need better visibility into how such platforms are being used within their environments. This is where solutions like IntelligenceX become essential. By offering capabilities such as threat detection, infrastructure analysis, and vulnerability assessment, IntelligenceX helps organizations identify suspicious patterns and uncover hidden threats.
For instance, detecting unusual webhook activity, analyzing traffic linked to automation platforms, and correlating phishing infrastructure are key steps in mitigating these attacks. With the support of IntelligenceX, security teams can proactively identify risks and take action before they escalate.
Another critical aspect is securing integrations and configurations. Many organizations deploy automation tools without fully assessing the associated risks. IntelligenceX assists in identifying misconfigurations and ensuring that these platforms are used securely, reducing the chances of them being exploited.
The findings from Cisco Talos serve as a reminder that modern cyber threats often rely on abusing legitimate tools rather than exploiting traditional vulnerabilities. This shift makes detection more challenging and requires a more proactive approach to security.
As attackers continue to evolve their tactics, organizations must adapt by strengthening their monitoring capabilities and improving their understanding of how trusted platforms can be misused.
The abuse of n8n webhooks demonstrates that even widely trusted tools can become part of sophisticated attack chains. Preventing this requires continuous monitoring, better visibility, and a strong security strategy that evolves alongside emerging threats.
Top comments (0)