Security researchers have uncovered an emerging technique where attackers are exploiting the automation capabilities of n8n, a widely used workflow orchestration platform, to execute phishing operations and distribute malicious payloads. By taking advantage of legitimate infrastructure, these campaigns are able to evade traditional security controls and appear more trustworthy to victims.
Analysis from Cisco Talos indicates that this activity has been ongoing since at least October 2025. The attackers are not exploiting a vulnerability in the platform itself, but rather abusing its intended features—particularly webhooks—to automate and streamline their attack workflows.
n8n is designed to connect applications, APIs, and services through customizable workflows. Users can deploy these workflows on cloud-hosted instances that operate under unique subdomains in the format “.app.n8n.cloud.” This setup simplifies automation but also introduces a trusted environment that can be misused.
The key component being exploited is the webhook system. Webhooks function as endpoints that receive incoming data and trigger predefined actions. In legitimate use cases, they enable real-time communication between systems. However, attackers have begun embedding these webhook URLs into phishing emails, effectively turning them into delivery mechanisms.
When a recipient clicks on one of these links, their browser processes the webhook response as a standard web request. Because the interaction originates from a legitimate n8n domain, it carries an inherent level of trust. This makes it more difficult for email filters and security solutions to flag the activity as malicious.
Researchers have observed a sharp increase in the use of webhook-based phishing techniques. The volume of emails containing such links has grown significantly, suggesting that attackers are actively adopting this method due to its effectiveness and scalability.
In one observed campaign, emails were crafted to appear as document-sharing notifications. Victims who followed the embedded link were directed to a page displaying a CAPTCHA challenge. Once the user completed the verification step, a malicious file was automatically retrieved from an external source.
The entire process is executed through JavaScript within the webpage, making the download appear as though it originates from the n8n domain. This adds a layer of credibility to the attack, reducing suspicion and increasing the likelihood of successful execution.
The payloads delivered in these scenarios typically include executable files or MSI installers. These files are used to deploy altered versions of legitimate remote monitoring and management tools such as Datto or ITarian. Once installed, these tools allow attackers to maintain persistent access and establish communication with command-and-control infrastructure.
Beyond malware delivery, attackers are also using n8n webhooks for reconnaissance purposes. By embedding invisible tracking elements within phishing emails, they can collect data when the email is opened. This includes confirming whether the message was viewed and capturing identifiers such as the recipient’s email address.
This information enables attackers to refine their targeting and prioritize active victims. It also allows them to gather intelligence without requiring direct interaction beyond simply opening the email.
The growing misuse of n8n reflects a broader trend in cybersecurity, where legitimate tools are increasingly being repurposed for malicious activities. As automation platforms become more powerful and accessible, they also become attractive targets for abuse.
Addressing this challenge requires enhanced visibility into how such platforms are being used. Solutions like IntelligenceX play a vital role in this context. By providing capabilities such as threat detection, infrastructure analysis, and vulnerability assessments, IntelligenceX enables organizations to identify suspicious patterns and detect emerging threats early.
For example, monitoring unusual webhook activity, analyzing traffic patterns, and correlating phishing infrastructure are essential steps in mitigating these attacks. With the help of IntelligenceX, security teams can uncover hidden relationships between domains and identify malicious campaigns before they expand further.
Another important consideration is securing automation environments. Many organizations adopt low-code platforms without fully evaluating the associated risks. IntelligenceX supports this by identifying misconfigurations, assessing exposure, and ensuring that integrations are implemented securely.
The findings from Cisco Talos highlight the need for a shift in how organizations approach cybersecurity. Rather than focusing solely on vulnerabilities, there is a growing need to monitor how trusted platforms can be misused.
As attackers continue to evolve their strategies, leveraging automation and legitimate services, organizations must adapt by strengthening their detection and response capabilities.
The abuse of n8n webhooks serves as a reminder that even well-intentioned tools can become part of complex attack chains. Preventing such misuse requires continuous monitoring, improved visibility, and a proactive approach to security that keeps pace with modern threats.
Top comments (0)