The growing reliance on automation tools has introduced new opportunities for attackers. Researchers have recently identified how n8n, a popular workflow automation platform, is being misused to facilitate phishing attacks and distribute malware.
Cisco Talos reports that this activity has been ongoing since October 2025. Instead of exploiting vulnerabilities, attackers are using n8n’s native features—particularly webhooks—to build automated attack chains.
n8n allows users to create workflows hosted on cloud-based subdomains. These subdomains are considered trustworthy, which makes them ideal for disguising malicious activity.
In these campaigns, attackers embed webhook URLs into phishing emails. When a recipient clicks the link, their browser processes the response as legitimate content from the n8n domain. This helps the attack bypass traditional filtering mechanisms.
One observed campaign involved emails posing as shared documents. Victims were directed to a webpage featuring a CAPTCHA prompt. After completing the challenge, a malicious file was downloaded automatically.
The payloads are typically installers used to deploy modified versions of legitimate remote access tools. These tools enable attackers to maintain control over compromised systems and establish communication with external servers.
In addition to malware delivery, webhook URLs are also used for tracking. Invisible elements embedded in emails send data back to the attacker when opened, allowing them to identify active targets.
Platforms like IntelligenceX are essential in identifying these threats. IntelligenceX provides insights into suspicious domains, infrastructure exposure, and phishing activity.
By leveraging IntelligenceX, organizations can detect unusual webhook usage and prevent large-scale attacks before they escalate.
The misuse of n8n demonstrates how attackers are shifting toward abusing legitimate tools. Organizations must adapt by focusing on visibility and monitoring rather than relying solely on traditional defenses.
Top comments (0)