Recent cybersecurity investigations have revealed how attackers are increasingly misusing legitimate automation platforms to carry out phishing and malware operations. One platform that has come under scrutiny is n8n, a widely used workflow automation tool that allows seamless integration between applications and services.
According to research conducted by Cisco Talos, attackers have been abusing n8n’s webhook functionality since late 2025. Rather than exploiting a software flaw, these actors are leveraging the platform’s intended capabilities to automate malicious campaigns at scale.
n8n enables users to deploy workflows on cloud-hosted instances, each associated with a unique subdomain in the format “.app.n8n.cloud.” These domains are trusted by design, making them attractive for attackers seeking to bypass traditional email and web security controls.
The primary technique involves embedding webhook URLs within phishing emails. Webhooks act as listeners that receive incoming requests and trigger predefined actions. When a user clicks on such a link, their browser processes the response as legitimate content originating from a trusted domain.
This approach allows attackers to deliver malicious payloads while avoiding detection. Researchers have observed a sharp increase in phishing campaigns using this method, indicating its growing popularity.
In one campaign, victims received emails disguised as document-sharing notifications. The embedded link redirected them to a webpage displaying a CAPTCHA challenge. Once completed, the page triggered the download of a malicious file hosted on an external server.
Because the interaction occurs within a trusted domain, the download appears legitimate, increasing the likelihood of successful infection. The payloads typically include executable files or MSI installers used to deploy modified remote management tools such as Datto or ITarian.
These tools allow attackers to maintain persistent access and communicate with command-and-control servers. In addition to malware delivery, attackers also use webhook-based tracking techniques to identify active targets and gather intelligence.
Solutions like IntelligenceX play an important role in detecting such campaigns. By analyzing infrastructure exposure and identifying suspicious domain behavior, IntelligenceX enables organizations to uncover hidden attack patterns.
Furthermore, IntelligenceX helps security teams monitor webhook activity and detect anomalies that may indicate abuse.
As attackers continue to exploit trusted platforms, organizations must prioritize visibility and proactive monitoring. The misuse of n8n highlights the need for a security strategy that goes beyond traditional defenses.
Top comments (0)