n8n Webhooks Abused Since October 2025 to Deliver Malware via Phishing Emails
الأتمتة الموثوقة، نوايا خبيثة: استغلال n8n Webhooks لتوصيل البرمجيات الضارة
Trusted Automation, Malicious Intent: n8n Webhooks Abused for Malware Delivery
TL;DR
Threat actors are weaponizing n8n, a popular AI-integrated workflow automation platform, to bypass security filters. Since October 2025, attackers have used n8n’s cloud-hosted webhooks to deliver malware through phishing emails and conduct device fingerprinting. By leveraging n8n’s trusted infrastructure, these campaigns have seen a massive 686% increase in volume as of March 2026.
A new analysis from Cisco Talos has revealed that cybercriminals are increasingly turning to low-code automation tools to facilitate sophisticated phishing campaigns. The platform of choice in recent months is n8n, an artificial intelligence (AI) workflow automation tool used by developers to sync data and build agentic systems.
By exploiting the platform's ability to host webhooks on trusted cloud domains, attackers are successfully bypassing traditional security filters that typically flag suspicious or unknown URLs.
How Attackers Weaponize n8n Infrastructure
n8n allows users to sign up for a developer account at no cost, providing a managed cloud service. This setup automatically generates a unique custom domain for the user in the format: <account name>.app.n8n.cloud.
The core of the abuse lies in n8n's webhooks—often called "reverse APIs." These are designed to listen for data from external services to trigger automated workflows. However, Cisco Talos researchers Sean Gallagher and Omid Mirzaei found that these URLs can be configured to host programmatically pulled HTML content.
When a victim clicks a link to one of these webhooks in a phishing email, their browser treats the n8n-hosted output as a legitimate webpage. Because the traffic originates from a trusted *.app.n8n[.]cloud subdomain, it is less likely to be blocked by automated security Gateways.
Rapid Growth in Attack Volume
The shift toward n8n-based attacks has been swift and aggressive. According to the report:
- October 2025: Initial observations of n8n webhook abuse began.
- March 2026: The volume of emails containing these malicious URLs was roughly 686% higher than levels seen in January 2025.
Phishing Tactics and Malware Delivery
Researchers highlighted two primary methods currently being used by threat actors:
1. The "Shared Document" Payload Delivery
In this scenario, attackers send a phishing email claiming to contain a shared document. The embedded link leads to an n8n-hosted webhook.
- The page displays a CAPTCHA to trick the user into a sense of security.
- Once the CAPTCHA is solved, a malicious payload is downloaded from an external host.
- The Deception: Because the download process is encapsulated in the HTML's JavaScript, the browser perceives the file as originating from the trusted n8n domain rather than the actual external malicious source.
The ultimate goal of these attacks is to deliver executables or MSI installers. These installers deploy modified versions of legitimate Remote Monitoring and Management (RMM) tools, such as Datto and ITarian Endpoint Management, allowing attackers to establish persistent access to the victim's device via a command-and-control (C2) server.
2. Device Fingerprinting and Tracking
Attackers are also using n8n to identify and track targets. By embedding an "invisible image" or tracking pixel hosted on an n8n webhook URL within an email, they can gather data automatically. When the recipient opens the email, the client sends an HTTP GET request to the n8n URL. This request can include tracking parameters, such as the victim's email address, allowing the attacker to verify active targets and fingerprint their devices.
A Challenge for Security Teams
The very features that make n8n a powerful tool for developers—flexibility, ease of integration, and seamless automation—are what make it an attractive vehicle for cybercrime.
"By leveraging trusted infrastructure, these attackers bypass traditional security filters, turning productivity tools into delivery vehicles for persistent remote access," the Cisco Talos researchers noted.
As low-code and AI-driven automation platforms become more prevalent, security teams are challenged to monitor these "trusted" environments for signs of abuse without disrupting legitimate business workflows.
Source: The Hacker News
