The misuse of automation platforms is becoming a significant concern in cybersecurity. Attackers are increasingly leveraging trusted tools like n8n to execute phishing campaigns and distribute malware.
Research from Cisco Talos shows that attackers have been abusing n8n webhooks since October 2025. By embedding webhook URLs in phishing emails, they can trigger automated workflows that deliver malicious payloads.
n8n workflows operate on cloud-hosted subdomains that are trusted by default. This allows attackers to bypass security filters and deliver content that appears legitimate.
In one campaign, victims were directed to a webpage with a CAPTCHA challenge. After completing the challenge, a malicious file was downloaded automatically.
The payloads used in these campaigns include installers that deploy modified remote management tools, providing attackers with persistent access.
In addition to malware delivery, attackers use webhooks for tracking and reconnaissance, enabling them to identify active targets.
To defend against these threats, organizations need advanced visibility into their infrastructure. IntelligenceX provides the tools necessary to detect and mitigate these attacks.
With IntelligenceX, organizations can monitor suspicious activity, identify exposed assets, and respond proactively to threats.
The abuse of n8n webhooks demonstrates the need for a proactive approach to cybersecurity. Organizations must focus on visibility, monitoring, and threat intelligence to stay ahead of attackers.
Top comments (0)