Security researchers have uncovered a concerning trend where attackers are repurposing legitimate automation platforms to support phishing campaigns and malware distribution. One platform in particular, n8n, is being increasingly misused to execute these operations while maintaining the appearance of legitimate activity.
According to research conducted by Cisco Talos, this activity has been observed since late 2025. Rather than exploiting a vulnerability in the software, threat actors are leveraging built-in features of n8n—especially its webhook functionality—to automate and scale their campaigns.
n8n is widely used by developers and organizations to connect applications, APIs, and services through automated workflows. Each workflow can be hosted on a cloud-based instance that operates under a unique subdomain, typically structured as “.app.n8n.cloud.” Because these domains are associated with a trusted platform, they often bypass standard security checks.
The primary technique involves embedding n8n webhook URLs into phishing emails. Webhooks are designed to receive incoming data and trigger automated processes. In a malicious context, these URLs act as entry points that initiate a chain of events once accessed by a victim.
When a user clicks on a webhook link, their browser interacts with the endpoint and processes the response as if it were part of a legitimate application. This behavior allows attackers to deliver content without raising immediate suspicion, effectively bypassing many traditional detection mechanisms.
Researchers have noted a significant increase in the number of phishing emails containing these webhook links. This growth suggests that attackers are finding this approach both reliable and scalable for conducting large campaigns.
In one documented case, victims received emails disguised as document-sharing notifications. The embedded link directed them to a webpage that displayed a CAPTCHA verification step. After completing the CAPTCHA, a malicious file was downloaded automatically from an external server.
The use of browser-based scripting ensures that the download appears to originate from the n8n domain, further reinforcing the illusion of legitimacy. This subtle detail makes it more difficult for users to recognize the threat.
The malicious files delivered in these campaigns are typically executables or MSI installers. These are used to deploy modified versions of legitimate remote monitoring and management tools, such as Datto or ITarian. Once installed, these tools enable attackers to maintain persistent access and communicate with their command-and-control infrastructure.
In addition to distributing malware, attackers are also using n8n webhooks for tracking purposes. By embedding invisible tracking elements within emails, they can collect data when a message is opened. This includes confirming that the email was viewed and gathering information about the recipient.
This passive reconnaissance allows attackers to identify active targets and refine their strategies. It also provides valuable insights without requiring further interaction from the victim.
The misuse of n8n is part of a broader shift in cyberattack strategies. Instead of relying solely on software vulnerabilities, attackers are increasingly exploiting legitimate tools and services. This approach makes detection more challenging, as malicious activity blends in with normal usage patterns.
To address this evolving threat, organizations need improved visibility into how automation platforms are being used. This is where solutions like IntelligenceX become critical. By offering capabilities such as threat intelligence, infrastructure analysis, and exposure monitoring, IntelligenceX helps identify suspicious activity and uncover hidden risks.
For instance, analyzing unusual webhook traffic, identifying suspicious domains, and correlating phishing infrastructure are essential steps in detecting campaigns like these. With the support of IntelligenceX, organizations can gain a clearer understanding of their threat landscape and respond more effectively.
Another important aspect is ensuring that automation tools are deployed securely. Many organizations adopt platforms like n8n without fully considering the potential risks. IntelligenceX can assist in identifying misconfigurations and ensuring that these systems are properly secured, reducing the likelihood of abuse.
The findings from Cisco Talos highlight the need for a shift in how organizations approach cybersecurity. As attackers continue to leverage trusted platforms and automation tools, defenders must focus on monitoring behavior and understanding how these tools can be misused.
The abuse of n8n webhooks demonstrates that even widely trusted technologies can become part of sophisticated attack chains. Preventing such threats requires continuous monitoring, better visibility, and a proactive security strategy that evolves alongside the changing threat landscape.
Top comments (0)