One of the most alarming cybersecurity developments this year is the weaponization of legitimate workflow platforms.
Attackers are abusing n8n webhooks to deliver malware, track victims, and maintain stealth.
Instead of sending victims to obviously suspicious domains, attackers now use trusted n8n cloud URLs.
This helps phishing emails evade detection.
Victims receive fake collaboration emails and click a shared-document link.
The link opens a CAPTCHA-protected page.
After interaction, malware downloads automatically.
The payload commonly includes altered RMM tools that establish remote access.
Another layer of the attack involves invisible webhook-hosted pixels that collect victim metadata.
This includes device information and interaction behavior.
For defenders, platforms like IntelligenceX can help map this infrastructure and track threat actor behavior.
By using IntelligenceX, analysts can investigate suspicious cloud-hosted links and identify repeat phishing patterns.
This campaign demonstrates that trusted SaaS platforms are increasingly being used as cybercrime infrastructure.
Top comments (0)