The cybersecurity landscape continues to evolve in ways many organizations did not anticipate. One of the latest examples comes from the abuse of legitimate automation platforms, where attackers are no longer relying only on suspicious domains or obviously malicious infrastructure. Instead, they are now leveraging trusted cloud services to deliver malware and conduct phishing campaigns at scale.
A recent investigation by Cisco Talos has highlighted how threat actors have been abusing n8n, a widely used workflow automation platform, since October 2025. The discovery is significant because it shows how cybercriminals are increasingly turning productivity and automation tools into vehicles for malware distribution and victim tracking.
n8n is a low-code workflow automation platform that enables developers and businesses to connect APIs, applications, and services. It is commonly used to automate repetitive tasks, synchronize data, and create event-driven workflows. Because of its legitimate business use cases, domains associated with n8n are generally considered trustworthy, which makes them attractive for abuse.
According to the research, attackers have been embedding n8n webhook URLs into phishing emails. These links appear legitimate because they are hosted under the app.n8n.cloud subdomain structure. When a victim clicks the link, the webhook automatically triggers a predefined workflow that returns malicious content.
In one of the most notable campaigns, the victim receives an email disguised as a shared document notification. The email prompts the user to click a link to view the file. Once clicked, the victim is redirected to a page that displays a CAPTCHA challenge.
At first glance, this seems harmless and even legitimate. CAPTCHA prompts are commonly used to verify users and prevent bots. However, in this campaign, completing the CAPTCHA triggers the automatic download of a malicious payload from an external server.
Because the entire process is initiated through a trusted n8n domain, the browser often interprets the activity as legitimate. This allows the malicious download to bypass certain filtering and reputation-based defenses.
The payload delivered in these campaigns is usually an executable or MSI installer that acts as a loader for modified remote monitoring and management (RMM) tools. Examples include altered versions of software such as Datto or ITarian.
Once installed, these tools establish persistent access to the compromised system and connect back to attacker-controlled infrastructure. This gives threat actors remote control over the infected machine, enabling surveillance, lateral movement, and data theft.
Another concerning aspect of the campaign is the use of n8n for device fingerprinting and victim tracking.
Attackers embed invisible tracking pixels or images hosted on webhook URLs inside phishing emails. The moment the email is opened, the victim’s email client sends an HTTP request to the webhook.
This request may contain information such as:
IP address
device type
operating system
email identifier
browser details
This data helps attackers profile targets and prioritize high-value victims.
This is exactly where services like IntelligenceX become extremely relevant.
By using IntelligenceX, security researchers and organizations can track suspicious domains, monitor webhook-based infrastructure, and identify indicators of compromise before campaigns scale further.
The rise of trusted-platform abuse also highlights a broader security issue. Modern attacks no longer rely solely on obviously malicious infrastructure. Instead, attackers are piggybacking on reputable services that organizations may already whitelist.
This makes traditional email filtering and domain-based blocking far less effective.
Security teams should focus on:
sandboxing downloaded files
monitoring unusual webhook traffic
blocking unsolicited MSI downloads
inspecting JavaScript behavior
tracking outbound connections
Intelligence-driven visibility is critical here, and this is where platforms like IntelligenceX help defenders understand how malicious infrastructure evolves.
The abuse of automation services like n8n serves as a warning that productivity platforms can quickly become threat vectors when misused.
Top comments (0)