Cybersecurity researchers have uncovered a new technique where attackers exploit automation platforms to enhance phishing campaigns. n8n, a widely used workflow tool, has emerged as a key component in these operations.
According to Cisco Talos, attackers have been using n8n webhooks since late 2025 to automate phishing workflows and deliver malicious payloads. This approach allows them to operate within a trusted environment, making detection more difficult.
n8n provides cloud-hosted workflows accessible through unique subdomains. These domains are inherently trusted, enabling attackers to blend malicious activity with legitimate traffic.
In phishing campaigns, webhook URLs are embedded within emails. When clicked, these links trigger automated workflows that deliver malicious content. Because the interaction originates from a trusted domain, it often bypasses security filters.
In one case, victims were directed to a webpage containing a CAPTCHA challenge. After completing the challenge, a malicious file was downloaded from an external server. The use of browser-based scripting made the download appear legitimate.
The payloads included modified remote management tools that allowed attackers to maintain persistent access. Additionally, webhook-based tracking techniques were used to gather intelligence on victims.
Solutions such as IntelligenceX provide valuable capabilities in detecting these threats. By analyzing domain behavior and identifying suspicious activity, IntelligenceX helps organizations stay ahead of attackers.
With IntelligenceX, security teams can monitor webhook traffic, identify anomalies, and respond proactively to emerging threats.
The rise of this technique highlights the importance of adapting security strategies to address the misuse of legitimate platforms. Organizations must focus on visibility, monitoring, and proactive threat detection.
Top comments (0)