Threat actors have been exploiting n8n, a widely used workflow automation platform, to carry out phishing campaigns and distribute malicious payloads since October 2025. According to findings published by Cisco Talos, attackers are leveraging the platform’s trusted cloud infrastructure to bypass conventional security filters and deliver malware through automated email workflows. The activity highlights how legitimate productivity tools are increasingly being repurposed to support persistent remote access and other malicious operations.
N8n enables users to connect web applications, APIs, and artificial intelligence services to automate tasks and synchronize data without requiring complex infrastructure setup. Users can create developer accounts at no cost and deploy workflows through a managed cloud environment, generating custom domains in the format of account specific subdomains hosted under n8n cloud services. A central feature of the platform is its support for webhooks, which act as triggers that initiate workflows when specific data is received through a unique URL. These webhook URLs effectively function as listeners, allowing applications to exchange real time information and execute automated processes when accessed.
Researchers at Cisco Talos identified that these exposed webhook URLs, hosted on trusted n8n cloud subdomains, are being abused in phishing attacks. When a victim interacts with such a link, the browser processes the webhook response as a web page, enabling attackers to deliver malicious content while maintaining the appearance of legitimacy. This approach has enabled threat actors to significantly increase the scale of their campaigns, with email messages containing such links rising by approximately 686 percent in March 2026 compared to January 2025. In one observed campaign, attackers embedded webhook links in emails disguised as shared documents. When clicked, victims were directed to a page displaying a CAPTCHA prompt, and completing it triggered the download of a malicious file from an external server. Because the process is executed within embedded JavaScript, the browser interprets the download as originating from the trusted n8n domain.
The attacks are designed to deploy executable files or MSI installers that act as entry points for modified versions of legitimate remote monitoring and management tools such as Datto RMM and ITarian Endpoint Management. These tools are then used to establish persistence by connecting to command and control servers, allowing attackers to maintain access to compromised systems. In addition to malware delivery, another technique involves device fingerprinting through invisible tracking pixels embedded in phishing emails. These pixels are linked to n8n webhook URLs and automatically send HTTP requests when the email is opened, transmitting data such as the recipient’s email address and enabling attackers to identify and track targets.
The findings underscore how low code automation platforms, designed to streamline development and operational workflows, can also be exploited due to their flexibility and ease of integration. Cisco Talos noted that as organizations continue to adopt automation technologies, there is a growing need for security teams to monitor how these tools are used and to ensure they are not turned into vectors for cyber threats.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
