A new wave of phishing campaigns is demonstrating how attackers are increasingly abusing legitimate automation platforms to carry out malicious operations. Researchers have found that n8n, a popular workflow automation tool, is being leveraged by threat actors to distribute malware and collect intelligence on targets, all while appearing to operate from a trusted environment.
According to an analysis by Cisco Talos, this activity has been ongoing since October 2025. Rather than exploiting a technical flaw in the platform, attackers are taking advantage of its built-in features—especially webhooks—to create scalable and efficient attack chains.
n8n is widely used for connecting applications, APIs, and services through automated workflows. It allows users to deploy these workflows on cloud-hosted instances that operate under unique subdomains, typically formatted as “.app.n8n.cloud.” This structure simplifies automation but also creates a trusted domain space that attackers can misuse.
The primary method of abuse involves webhook URLs. Webhooks are designed to receive data and trigger actions in real time, acting as a bridge between different systems. In a malicious context, these URLs are embedded into phishing emails and used as entry points for attacks.
When a recipient clicks on such a link, their browser interacts with the webhook endpoint and processes the response as legitimate content. Because the domain belongs to a trusted service, the interaction often bypasses security filters and raises little suspicion.
Researchers have observed a significant increase in phishing emails containing n8n webhook links, indicating that this method is gaining traction among attackers. The ability to automate responses and scale operations makes it particularly attractive for large campaigns.
In one example highlighted by researchers, victims received emails that appeared to contain shared documents. Clicking the link led them to a webpage featuring a CAPTCHA challenge. After completing the CAPTCHA, a malicious file was silently downloaded from an external server.
The process is executed entirely within the webpage using JavaScript, making the download appear as though it originated from the n8n domain. This technique enhances the credibility of the attack and reduces the likelihood of detection.
The payloads delivered through these campaigns typically include executable files or MSI installers. These installers are used to deploy modified versions of legitimate remote management tools such as Datto or ITarian. Once installed, these tools allow attackers to maintain persistent access and communicate with command-and-control servers.
In addition to delivering malware, attackers are also using n8n for tracking and reconnaissance. By embedding invisible tracking elements, such as pixels, within emails, they can gather information when a message is opened. This includes confirming that the email was viewed and capturing identifying details about the recipient.
This approach allows attackers to identify active targets and refine their campaigns without requiring further interaction. It also provides valuable intelligence that can be used for follow-up attacks.
The growing misuse of platforms like n8n highlights a broader shift in the threat landscape. Instead of relying solely on vulnerabilities, attackers are increasingly leveraging legitimate tools to achieve their objectives. This makes detection more challenging and requires a different approach to security.
To effectively defend against such threats, organizations need better visibility into how trusted platforms are being used. This is where solutions like IntelligenceX become highly valuable. By offering capabilities such as threat detection, infrastructure monitoring, and vulnerability assessments, IntelligenceX helps identify suspicious activity associated with automation platforms.
For example, tracking unusual webhook usage, analyzing traffic patterns, and identifying connections between phishing domains are critical steps in mitigating these attacks. With the support of IntelligenceX, organizations can detect these patterns early and respond before campaigns grow larger.
Another important factor is securing automation workflows themselves. Many organizations adopt low-code platforms without fully considering the security implications. IntelligenceX assists in identifying misconfigurations and ensuring that these systems are properly secured, reducing the risk of abuse.
The findings from Cisco Talos underline the importance of adapting security strategies to address modern threats. As attackers continue to leverage automation and trusted infrastructure, organizations must move beyond traditional defenses and focus on monitoring behavior and usage patterns.
The abuse of n8n webhooks serves as a clear example of how legitimate tools can be transformed into effective attack vectors. Preventing this requires continuous monitoring, improved visibility, and a proactive approach that keeps pace with the evolving threat landscape.
Top comments (0)