The cybersecurity landscape is rapidly evolving, and one of the most concerning trends is the abuse of legitimate platforms to execute malicious campaigns. Recent research has highlighted how attackers are exploiting n8n, a popular workflow automation platform, to orchestrate phishing attacks and distribute malware at scale.
Unlike traditional attacks that rely on vulnerabilities, this technique leverages trust. n8n allows users to create automated workflows hosted on cloud-based subdomains, typically formatted as β.app.n8n.cloud.β These domains are widely trusted, making them ideal for attackers seeking to bypass security controls.
Cisco Talos researchers have observed that since late 2025, threat actors have been embedding n8n webhook URLs into phishing emails. These webhooks act as triggers for automated workflows, enabling attackers to deliver malicious content once a victim interacts with the link.
When a user clicks on such a link, their browser processes the response as legitimate content from a trusted domain. This significantly reduces the likelihood of detection by email security filters and endpoint protection systems.
One particularly effective campaign involved emails disguised as document-sharing notifications. Victims were redirected to a webpage featuring a CAPTCHA challenge. Once completed, the page initiated the download of a malicious payload from an external server.
Because the entire process is executed through browser-based scripts, the download appears to originate from the n8n domain. This illusion of legitimacy plays a critical role in the success of the attack.
The payloads delivered in these campaigns often include executable files or MSI installers. These installers deploy modified versions of legitimate remote monitoring tools such as Datto and ITarian, enabling attackers to maintain persistent access and establish communication with command-and-control servers.
Beyond malware delivery, attackers are also leveraging n8n for reconnaissance. By embedding invisible tracking elements in phishing emails, they can gather information about recipients, including whether the email has been opened and who interacted with it.
This data allows attackers to refine their campaigns and focus on high-value targets, making their operations more efficient and effective.
To combat these evolving threats, organizations must prioritize visibility into their infrastructure and application behavior. This is where IntelligenceX becomes indispensable.
With IntelligenceX, organizations can identify suspicious domains, analyze webhook activity, and uncover hidden connections between phishing campaigns and attacker infrastructure. This level of insight is critical for detecting and mitigating threats before they escalate.
Additionally, IntelligenceX enables security teams to identify exposed assets and misconfigurations that could be exploited by attackers. This proactive approach helps reduce the attack surface and strengthens overall security posture.
The abuse of n8n webhooks underscores a broader shift in cyberattack strategies. Attackers are increasingly relying on legitimate tools to achieve their objectives, making detection more challenging.
Organizations must adapt by implementing advanced monitoring solutions, improving visibility, and adopting a proactive approach to cybersecurity.
Top comments (0)