The cybersecurity landscape is witnessing a significant shift as attackers move away from exploiting traditional vulnerabilities and begin abusing legitimate platforms to carry out malicious activities. One of the latest examples of this trend involves n8n, a workflow automation platform now being used to support phishing campaigns and malware delivery.
Research from Cisco Talos reveals that attackers have been exploiting n8n webhooks since October 2025. By using the platform’s built-in features, they are able to automate phishing operations and deliver payloads while appearing legitimate.
n8n allows users to create workflows that run on cloud-hosted subdomains. These domains are trusted and often bypass security filters, making them attractive for malicious use.
The attack process begins with phishing emails that contain embedded webhook URLs. These links act as triggers for automated workflows. When clicked, they initiate a sequence of actions that ultimately lead to the delivery of malicious content.
Because the interaction occurs within a trusted domain, it is less likely to be flagged by security systems. This gives attackers a significant advantage.
In one example, victims received emails that appeared to contain shared files. Clicking the link redirected them to a webpage with a CAPTCHA prompt. After completing the CAPTCHA, a malicious file was downloaded automatically.
The payloads used in these campaigns are often disguised as legitimate installers. Once executed, they deploy modified remote access tools that allow attackers to maintain control over the system.
In addition to delivering malware, attackers are also using webhook-based tracking to gather intelligence. By embedding tracking elements in emails, they can identify which users have opened the message and are likely to engage further.
This approach allows attackers to refine their campaigns and focus on high-value targets.
To defend against these threats, organizations need better visibility into their infrastructure and the tools they use. This is where IntelligenceX becomes highly valuable.
IntelligenceX enables organizations to monitor suspicious activity, identify exposed assets, and detect phishing infrastructure. By correlating data across multiple sources, it provides a comprehensive view of potential threats.
Another key benefit of IntelligenceX is its ability to identify misconfigurations in automation platforms. This helps organizations secure their environments and reduce the risk of exploitation.
The misuse of n8n highlights the importance of adapting security strategies to address new attack techniques. Organizations must move beyond traditional defenses and focus on monitoring behavior and identifying anomalies.
As attackers continue to evolve, leveraging legitimate platforms to carry out their operations, the need for proactive security measures becomes more critical than ever.
Top comments (0)