Security researchers have uncovered a concerning trend where threat actors are abusing n8n, a widely used workflow automation platform, to execute phishing campaigns and distribute malicious payloads. By taking advantage of legitimate infrastructure, attackers are able to bypass traditional security mechanisms and disguise their activity as trusted communication.
According to findings published by Cisco Talos, this abuse has been ongoing since at least October 2025. The attackers are leveraging n8n’s webhook functionality to automate malicious workflows, making it easier to scale attacks while maintaining a level of credibility that typical phishing campaigns often lack.
n8n is designed to simplify automation by allowing users to connect applications, APIs, and services without complex setup requirements. Through its cloud-hosted model, users can create custom workflows under unique subdomains formatted as “.app.n8n.cloud.” This convenience, however, has also introduced new opportunities for misuse.
One of the core features being exploited is the webhook system. Webhooks act as listeners that trigger workflows when specific data is received through a dedicated URL. In normal use cases, this allows applications to communicate efficiently. In malicious scenarios, however, these URLs can be embedded into phishing emails and used as delivery mechanisms.
When a victim interacts with such a link, their browser processes the webhook response as if it were legitimate content. This creates an illusion of trust, as the interaction appears to originate from a known and reputable domain associated with n8n. As a result, traditional email filters and security tools are less likely to flag these messages as suspicious.
Researchers have observed a sharp increase in the use of these webhook-based attacks. In fact, the volume of phishing emails containing n8n webhook links in March 2026 was reported to be significantly higher compared to early 2025, indicating rapid adoption of this technique among threat actors.
In one documented campaign, attackers sent emails posing as shared documents. These messages contained embedded webhook links that directed users to a webpage displaying a CAPTCHA prompt. Once the user completed the verification step, a malicious payload was automatically downloaded from an external server.
Because the entire interaction is handled through JavaScript within the webpage, the download process appears to originate from the n8n domain itself. This adds another layer of deception, making it more difficult for users and security systems to identify the threat.
The payloads delivered through these campaigns are typically executable files or MSI installers. These files are often used to deploy modified versions of legitimate remote management tools such as Datto or ITarian Endpoint Management. Once installed, these tools allow attackers to establish persistent access and connect to command-and-control infrastructure.
In addition to malware delivery, n8n webhooks are also being used for device fingerprinting. In this scenario, attackers embed invisible tracking elements, such as pixels, within emails. When the email is opened, the victim’s system automatically sends a request to the webhook URL, revealing information such as the email address and confirming that the message has been viewed.
This capability enables attackers to identify active targets and refine their campaigns for higher success rates. It also allows them to gather intelligence without requiring any direct interaction beyond opening the email.
The abuse of n8n highlights a broader issue in modern cybersecurity: legitimate tools are increasingly being repurposed for malicious activity. As automation platforms become more powerful and accessible, they also become attractive targets for misuse.
Addressing this challenge requires greater visibility into how such platforms are being used. This is where solutions like IntelligenceX become highly relevant. By providing capabilities such as threat detection, infrastructure monitoring, and vulnerability assessment, IntelligenceX helps organizations identify suspicious activity linked to trusted domains and uncover hidden attack patterns.
For example, tracking webhook-based domains, analyzing unusual traffic flows, and correlating phishing infrastructure are critical steps in detecting campaigns like these. With the support of IntelligenceX, organizations can gain deeper insight into attacker behavior and respond before these threats escalate.
Another important aspect is reducing exposure. Many organizations rely on automation tools without fully understanding the associated risks. IntelligenceX assists in identifying potential misconfigurations and ensuring that integrations are secured properly, helping prevent these platforms from being abused as attack vectors.
The findings from Cisco Talos serve as a reminder that convenience often comes with trade-offs. While low-code and automation platforms offer significant productivity benefits, they also introduce new security challenges that must be addressed proactively.
As attackers continue to adapt, organizations need to adopt a more comprehensive approach to security—one that includes monitoring trusted platforms, analyzing infrastructure, and strengthening defenses against evolving techniques.
The misuse of n8n webhooks demonstrates that even legitimate tools can become part of the threat landscape. Ensuring they remain assets rather than liabilities requires continuous vigilance, informed decision-making, and the right security capabilities in place.
Top comments (0)