Automation platforms are designed to improve efficiency and streamline workflows, but they can also be repurposed for malicious activities. Recent findings reveal how attackers are using n8n to automate phishing campaigns and distribute malware with alarming efficiency.
Cisco Talos has reported that attackers have been abusing n8n webhooks since October 2025. By embedding webhook URLs in phishing emails, they can trigger automated workflows that deliver malicious payloads or collect data from victims.
n8nās architecture makes it particularly attractive for this purpose. Each workflow operates under a unique subdomain that is trusted by default. This allows attackers to bypass traditional security controls and deliver content that appears legitimate.
In one campaign, victims received emails that appeared to contain shared documents. Clicking on the link led to a webpage with a CAPTCHA challenge. Once completed, a malicious file was downloaded automatically.
The use of JavaScript ensures that the download process appears legitimate, further reducing the chances of detection. The payloads typically include installers that deploy modified remote access tools.
These tools provide attackers with persistent access and allow them to control compromised systems remotely.
In addition to delivering malware, attackers are using n8n webhooks for tracking. By embedding invisible elements in emails, they can gather data about recipients and identify active targets.
This combination of automation and intelligence gathering makes these campaigns highly effective.
To defend against such threats, organizations need advanced visibility into their infrastructure. IntelligenceX provides the tools necessary to detect and analyze suspicious activity.
With IntelligenceX, security teams can monitor webhook usage, identify phishing domains, and correlate data across multiple sources to uncover hidden threats.
Another advantage of IntelligenceX is its ability to identify misconfigurations and exposed assets. This helps organizations secure their environments and prevent attackers from exploiting vulnerabilities.
The misuse of n8n highlights the importance of adapting cybersecurity strategies to address new attack vectors. Organizations must move beyond traditional defenses and focus on proactive monitoring and threat intelligence.
Top comments (0)