n8n Webhooks as a Phishing Vector
Cisco Talos published research on April 15 detailing how threat actors have been abusing n8n - a widely used open-source AI workflow automation platform - to orchestrate phishing campaigns that deliver malware and fingerprint victim devices. 1Cisco Talos: The n8n n8mare — How threat actors are misusing AI workflow automation The activity dates back to at least October 2025 and shows no sign of slowing down: the volume of emails containing n8n webhook URLs in March 2026 was approximately 686% higher than in January 2025. 1Cisco Talos: The n8n n8mare — How threat actors are misusing AI workflow automation
n8n allows users to connect web applications, APIs, and AI models into automated workflows. Its cloud-hosted service creates subdomains under *.app.n8n.cloud, and its webhook feature - essentially a URL that listens for incoming requests and triggers workflow steps - is the specific mechanism being abused. 2The Hacker News: n8n Webhooks Abused Since October 2025 to Deliver Malware via Phishing Emails Because webhooks return data as HTTP streams, a browser that follows a webhook link processes the output as a standard web page, making the content appear to originate from a trusted n8n domain.
How the Attack Chain Works
Talos documented two primary abuse patterns: malware delivery and device fingerprinting.
In the malware delivery campaigns, phishing emails impersonate shared Microsoft OneDrive documents and contain n8n webhook URLs. The attack chain is methodical:
In one observed campaign, the payload was an executable named "DownloadedOneDriveDocument.exe" that installed a modified version of the Datto Remote Monitoring and Management (RMM) tool, configured it as a scheduled task, and established a connection to a relay on Datto's centrastage.net domain. 1Cisco Talos: The n8n n8mare — How threat actors are misusing AI workflow automation A parallel campaign used an MSI installer protected by the Armadillo anti-analysis packer to deploy a modified ITarian Endpoint Management RMM tool as a backdoor. The ITarian variant ran Python modules to exfiltrate information while displaying a fake progress bar that reset to 0% upon completion, creating the illusion of a failed installation. 1Cisco Talos: The n8n n8mare — How threat actors are misusing AI workflow automation
The fingerprinting variant is simpler but effective. Attackers embed invisible tracking pixels hosted on n8n webhook URLs inside spam emails; when the email client loads the image, it sends an HTTP GET request to the webhook along with tracking parameters such as the victim's email address. 1Cisco Talos: The n8n n8mare — How threat actors are misusing AI workflow automation This allows threat actors to confirm which recipients opened the message and harvest device metadata - useful for targeting follow-up attacks.
Why Trusted Infrastructure Matters
The core problem is one of implicit trust. Email security gateways and endpoint protections often whitelist or deprioritize traffic from known SaaS platforms. Because the entire download process is encapsulated within JavaScript served by the webhook, the browser treats the payload as originating from the n8n domain rather than the actual malicious host. 2The Hacker News: n8n Webhooks Abused Since October 2025 to Deliver Malware via Phishing Emails This technique is not unique to n8n - Talos noted that another AI-oriented service, Softr.io, was similarly abused for phishing page creation earlier this year. 1Cisco Talos: The n8n n8mare — How threat actors are misusing AI workflow automation
Detection and Mitigation
Talos also recommends sharing indicators of compromise - specific webhook URL patterns, malicious file hashes, and C2 domains - through threat intelligence platforms. IOCs published by Talos include hashes for both the Datto and ITarian payloads as well as the specific n8n webhook URLs used in the campaigns. 1Cisco Talos: The n8n n8mare — How threat actors are misusing AI workflow automation
Looking Ahead
The abuse of n8n is a symptom of a broader pattern: as low-code and no-code automation platforms proliferate, each one introduces trusted infrastructure that threat actors can co-opt with minimal effort. The same flexibility that makes these tools valuable to developers - free-tier access, programmable webhooks, cloud-hosted subdomains - makes them attractive for adversaries seeking to bypass reputation-based email filtering. Security teams should audit which automation platforms are authorized within their environment and treat unauthorized connections to these domains as potential indicators of compromise.
Bild: towel.studio / Unsplash
