A recent set of findings from security researchers highlights a growing trend in cyberattacks: the misuse of legitimate automation platforms to carry out phishing and malware campaigns. One such platform, n8n, is now being actively leveraged by threat actors to distribute malicious payloads and quietly gather intelligence on targets.
The activity, tracked by Cisco Talos, dates back to at least October 2025. What makes this campaign notable is that attackers are not exploiting a software vulnerability. Instead, they are using n8n exactly as intended—repurposing its automation features to support malicious workflows.
n8n is designed to help users automate processes by connecting applications, APIs, and services. It allows developers to deploy workflows on cloud-hosted environments, each assigned a unique subdomain in the format “.app.n8n.cloud.” These domains are trusted by default, which is precisely what makes them attractive to attackers.
The core of the abuse lies in the platform’s webhook functionality. Webhooks are essentially endpoints that listen for incoming data and trigger predefined actions. In normal use, they enable real-time automation between systems. In this case, however, attackers embed webhook URLs into phishing emails and use them as entry points for malicious activity.
When a user clicks one of these links, their browser sends a request to the webhook and processes the response as a legitimate web interaction. Since the request is tied to a trusted domain, it often bypasses traditional email and web filtering mechanisms. This significantly increases the chances of the attack succeeding.
Researchers have observed a sharp rise in phishing emails that include n8n webhook links, indicating that this approach is becoming more widely adopted. The ability to automate responses and manage campaigns at scale makes it particularly effective for attackers.
In one campaign, victims received emails that appeared to contain shared documents. Clicking on the link redirected them to a webpage displaying a CAPTCHA challenge. After completing the CAPTCHA, a malicious file was automatically downloaded from an external source.
Because the entire sequence is handled through scripts running in the browser, the download appears to originate from the n8n domain. This subtle detail plays a major role in convincing users that the interaction is legitimate.
The files delivered in these campaigns are often executables or MSI installers. These are used to deploy modified versions of legitimate remote monitoring and management tools such as Datto or ITarian. Once installed, these tools give attackers persistent access to the system and allow communication with command-and-control infrastructure.
In addition to malware delivery, n8n is also being used for passive reconnaissance. Attackers embed invisible tracking elements within emails that trigger requests to webhook URLs when opened. This allows them to confirm whether a message has been viewed and collect identifiers such as the recipient’s email address.
This type of tracking helps attackers refine their targeting and focus on users who are more likely to engage. It also enables them to gather intelligence without raising suspicion.
The misuse of n8n reflects a broader shift in the threat landscape. Modern attackers are increasingly relying on legitimate platforms and services rather than exploiting traditional vulnerabilities. This makes detection more difficult, as the activity blends in with normal operations.
To counter these threats, organizations need deeper visibility into how such platforms are being used within their environments. This is where solutions like IntelligenceX become highly relevant. By providing insights into infrastructure exposure, suspicious domains, and unusual activity patterns, IntelligenceX helps security teams identify and investigate potential threats.
For example, monitoring webhook traffic, analyzing domain behavior, and correlating phishing infrastructure are critical steps in detecting campaigns like these. With the support of IntelligenceX, organizations can uncover hidden connections and respond more effectively to emerging risks.
Another key aspect is ensuring that automation tools are configured securely. Many organizations adopt platforms like n8n without fully understanding the potential risks. IntelligenceX assists by identifying misconfigurations and highlighting areas where security controls may be lacking.
The findings from Cisco Talos emphasize the need for a more adaptive approach to cybersecurity. As attackers continue to evolve their methods, leveraging trusted services and automation tools, defenders must focus on visibility, monitoring, and proactive detection.
The abuse of n8n webhooks is a clear example of how legitimate technologies can be turned into attack vectors. Addressing this challenge requires continuous vigilance and a security strategy that evolves alongside the threat landscape.
Top comments (0)