Since October 2025, cybercriminals have been leveraging n8n, a well-known AI-driven workflow automation platform, to conduct advanced phishing campaigns. This exploitation involves sending automated emails that deliver malicious software or gather device fingerprints, experts from Cisco Talos reported recently.
n8n enables users to link various web applications, APIs, and AI models to automate tasks. Users can sign up for a developer account to access a managed cloud-hosted service without any additional setup, obtaining a unique domain under the format .app.n8n.cloud. This feature, while convenient, has been manipulated by threat actors to bypass traditional security defenses.
How n8n Webhooks Are Being Abused
The platform’s ability to create webhooks—URLs that trigger workflows upon receiving specific data—has been exploited. According to Cisco Talos, these webhook URLs have been used in phishing attacks since October 2025. A webhook, often a ‘reverse API,’ allows one application to inform another in real-time, making these URLs a target for malicious use.
When activated, the URL triggers workflow steps that return results to the requesting application, often masquerading as a legitimate webpage when accessed through email. This tactic allows attackers to maintain a guise of credibility by using trusted domain names, a critical factor in their strategy.
Significant Rise in Malicious Email Campaigns
March 2026 saw a dramatic increase in phishing emails using these n8n webhook URLs, with a 686% rise compared to January 2025. In one observed campaign, a phishing email with a linked n8n webhook URL appeared to share a document. Upon clicking the link, users were directed to a CAPTCHA-protected page, which eventually downloaded a malicious payload.
The ultimate aim is to deploy executable files or MSI installers that enable remote access through modified versions of legitimate management tools, like Datto and ITarian Endpoint Management, connecting back to a command-and-control server.
Additional Exploits for Fingerprinting
In addition to malware delivery, n8n is being exploited for fingerprinting. This involves embedding invisible images or tracking pixels within emails, hosted on an n8n webhook URL. Opening such an email triggers an HTTP GET request to the n8n URL, providing attackers with the recipient’s email and other identifiers.
Cisco Talos emphasized that the same workflows designed for developer efficiency are now being repurposed for nefarious activities due to their integration ease and automation capabilities. Security teams must ensure these platforms remain beneficial rather than becoming security risks.
The ongoing abuse of n8n webhooks highlights the urgent need for heightened cybersecurity measures to protect against similar threats. As low-code automation continues to expand, security professionals must remain vigilant to prevent these tools from becoming liabilities.
