Threat Actors Exploit n8n Automation Platform for Advanced Phishing Attacks
Cybersecurity researchers have uncovered a concerning trend where threat actors are abusing n8n, a widely used AI-powered workflow automation tool, to conduct sophisticated phishing campaigns, deliver malware, and fingerprint user devices.
According to a recent analysis by Cisco Talos researchers Sean Gallagher and Omid Mirzaei, attackers are leveraging trusted infrastructure to bypass traditional security defenses.
What is n8n?
n8n is a low-code automation platform that enables users to:
- Connect web applications and APIs
- Automate repetitive tasks
- Build AI-driven workflows
Users can create free developer accounts and access cloud-hosted environments via custom subdomains formatted as:
<account-name>.app.n8n.cloud
The platform also supports webhooks, which act as “reverse APIs” that trigger workflows when specific data is received.
How Attackers Are Exploiting n8n
1. Malicious Webhook Abuse
Attackers are exploiting publicly accessible webhook URLs hosted on trusted n8n subdomains.
- These links appear legitimate because they originate from a trusted domain
- When clicked, they execute workflows that deliver malicious content
- Victims’ browsers process the response as normal web data
This technique has been observed in phishing campaigns since October 2025.
2. Phishing Campaigns with Malware Delivery
In one campaign:
- Victims receive emails posing as shared documents
- The email contains an n8n webhook link
- Clicking the link leads to a fake CAPTCHA page
- Completing the CAPTCHA triggers malware download
The malware typically includes:
- Executable files or MSI installers
- Modified Remote Monitoring and Management (RMM) tools like
- Datto RMM
- ITarian Endpoint Management
These tools are then used to:
- Establish persistence
- Connect to command-and-control (C2) servers
3. Device Fingerprinting via Tracking Pixels
Another attack method involves:
- Embedding invisible tracking pixels in phishing emails
- Hosting these pixels on n8n webhook URLs
When the email is opened:
- An automatic HTTP request is sent
- Attackers collect data such as:
- Email address
- Device/browser details
This enables precise victim identification and targeting.
Sharp Rise in Attacks
Cisco Talos reported a 686% increase in phishing emails containing n8n webhook URLs between January 2025 and March 2026, highlighting rapid adoption of this technique among cybercriminals.
Why This is Dangerous
- Uses trusted domains to evade detection
- Automates large-scale attacks
- Blends seamlessly with legitimate workflows
- Enables both malware delivery and user tracking
Conclusion
The misuse of automation platforms like n8n demonstrates how legitimate productivity tools can be weaponized for cyberattacks. While these tools offer efficiency and flexibility, they also introduce new security risks if not properly monitored.
Security teams must:
- Monitor webhook usage
- Filter suspicious links
- Educate users about phishing tactics
As automation becomes more widespread, maintaining a balance between usability and security is increasingly critical.
