Cyber threats are evolving beyond traditional vulnerabilities, and recent research shows that attackers are now leveraging trusted automation platforms to execute large-scale phishing and malware campaigns. One such platform, n8n, has become an unexpected tool in the hands of threat actors looking to exploit its automation capabilities.
According to findings from Cisco Talos, attackers have been abusing n8n webhooks since late 2025 to distribute malicious payloads and gather intelligence on victims. Instead of breaking into systems through software flaws, these actors are using legitimate features to automate their operations.
n8n is widely used for building workflows that connect applications, APIs, and services. It allows users to deploy these workflows on cloud-hosted subdomains, typically structured as “.app.n8n.cloud.” These domains are inherently trusted, making them ideal for attackers who want to bypass security controls.
The core of the attack lies in webhook URLs. Webhooks are designed to receive data and trigger workflows automatically. In malicious campaigns, these URLs are embedded into phishing emails and used as entry points for further actions.
When a user clicks on one of these links, their browser interacts with the webhook endpoint and processes the response as if it were legitimate content. This interaction often bypasses traditional email security filters because it originates from a trusted domain.
Researchers have observed a significant increase in phishing campaigns that use n8n webhook links. This indicates that attackers are actively adopting this method due to its effectiveness and scalability.
In one campaign, victims received emails that appeared to contain shared documents. Clicking on the embedded link redirected them to a webpage displaying a CAPTCHA challenge. Once the CAPTCHA was completed, a malicious file was automatically downloaded from an external server.
The use of JavaScript ensures that the download process appears legitimate. The browser treats the file as if it originated from the n8n domain, making it less likely to raise suspicion.
The payloads delivered in these campaigns often include executable files or MSI installers. These installers are used to deploy modified versions of legitimate remote monitoring tools such as Datto and ITarian. Once installed, these tools provide attackers with persistent access to the compromised system.
In addition to delivering malware, attackers are also using webhook-based tracking techniques. By embedding invisible tracking elements in emails, they can gather information when a message is opened. This allows them to identify active targets and refine their campaigns.
This shift toward abusing legitimate platforms highlights the need for better visibility into infrastructure and application behavior. Solutions like IntelligenceX play a critical role in this area.
With IntelligenceX, organizations can analyze suspicious domains, monitor webhook activity, and detect patterns associated with phishing campaigns. This level of visibility is essential for identifying threats before they escalate.
Another important aspect is identifying misconfigurations in automation platforms. Many organizations deploy tools like n8n without fully understanding the security implications. IntelligenceX helps uncover these risks and ensures that systems are configured securely.
The findings from Cisco Talos highlight a growing trend in cybersecurity: attackers are no longer relying solely on vulnerabilities but are instead leveraging trusted platforms to achieve their goals.
As automation tools continue to evolve, organizations must adopt a proactive approach to security. Monitoring how these platforms are used and identifying abnormal behavior is key to preventing abuse.
The misuse of n8n webhooks demonstrates that even legitimate technologies can become powerful attack vectors. Organizations must adapt their security strategies to address this reality and ensure they are prepared for emerging threats.
Top comments (0)