As attackers increasingly exploit trusted platforms to evade detection, automation tools are becoming an unexpected vector in the cybertech threat landscape. Researchers have uncovered a campaign where threat actors are abusing n8n webhooks to deliver malware through phishing emails.
The n8n webhook phishing attacks have been active since October 2025, according to findings from Cisco Talos. By leveraging the platform’s cloud hosted infrastructure, attackers are able to disguise malicious activity as legitimate traffic, bypassing traditional email security filters.
n8n is widely used for workflow automation, enabling users to connect applications, APIs, and AI services to automate repetitive tasks. Its webhook functionality allows external systems to trigger workflows through unique URLs. While designed for legitimate integrations, these URLs are now being weaponized to execute malicious operations.
In the observed campaigns, attackers embed n8n hosted webhook links in phishing emails that appear to contain shared documents. When a recipient clicks the link, they are redirected to a webpage that presents a CAPTCHA challenge. Once completed, the page silently initiates the download of a malicious payload from an external server.
Because the process is executed within browser based scripts and originates from a trusted n8n domain, the download appears legitimate to both users and security systems. This technique allows attackers to deliver executable files or MSI installers that deploy modified versions of remote monitoring tools such as Datto and ITarian Endpoint Management, which are then used to establish persistent access through command and control infrastructure.
The n8n webhook phishing attacks also include a secondary tactic focused on device fingerprinting. Threat actors embed invisible tracking pixels within emails, hosted on n8n webhook URLs. When the email is opened, it automatically sends a request to the webhook, transmitting data such as the recipient’s email address. This enables attackers to identify active targets and refine their campaigns.
Researchers noted a significant increase in activity, with email volumes containing these malicious webhook links rising by 686 percent between January 2025 and March 2026. The surge highlights how quickly attackers are adapting legitimate tools for malicious purposes.
“A webhook, often referred to as a ‘reverse API,’ allows one application to provide real-time information to another,” Cisco Talos explained. “When the URL receives a request, the subsequent workflow steps are triggered, returning results as an HTTP data stream to the requesting application.”
The n8n webhook phishing attacks underscore a broader shift in cyber threats, where adversaries exploit trusted cloud services and low code platforms to mask malicious activity. This approach not only increases the success rate of phishing campaigns but also complicates detection and response efforts for security teams.
As organizations continue to adopt automation and AI driven workflows, securing these platforms is becoming critical. Without proper safeguards, tools designed to improve efficiency can be repurposed into powerful delivery mechanisms for malware and surveillance.
Recommended Cyber Technology News:
- OzCon Highlights How Hackers Think and Operate in Kansas
- Solix and VirtualZ Collaboration Enhances Enterprise Data Accessibility
- VIPRE Rolls Out Online Safety Training for Next Generation
To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com
