n8n Webhooks Abused to Deliver Malware via Phishing

Summary

Threat actors are abusing n8n, a popular workflow automation platform, to launch phishing campaigns that deliver malware and perform device fingerprinting.

The abuse has been observed since October 2025, with a significant spike in activity in 2026.

Key points:
• Attackers use trusted n8n cloud domains to bypass email security filters
• Webhooks are weaponized to deliver malicious payloads
• Campaigns involve phishing emails disguised as shared documents

Research Source

According to Cisco Talos researchers, attackers are leveraging n8n’s automation capabilities and trusted infrastructure to deliver malware while appearing legitimate.

The use of *.app.n8n.cloud domains helps evade detection, as these are considered trusted by many security tools.

Technical Details

The attack abuses n8n webhook functionality, which allows automated workflows to trigger when a URL is accessed.

How it works:
• Victim receives phishing email with embedded n8n webhook link
• Link redirects to a fake page (e.g., document or CAPTCHA)
• Completing CAPTCHA triggers malware download
• Payload is fetched from attacker-controlled infrastructure

Malware delivery:
• Executable (.exe) or MSI installer
• Installs modified RMM tools (e.g., Datto, ITarian)
• Establishes persistence and remote access via C2

Fingerprinting technique:
• Embedded tracking pixel (invisible image)
• Sends HTTP request when email is opened
• Collects victim data (email, IP, device info)

Notable increase:
• 686% rise in malicious emails using n8n webhooks

Observed Attack Activity

Initial Access
• Phishing emails with webhook links
• Fake shared documents or business communications

Execution
• CAPTCHA-based lure triggers payload delivery
• JavaScript-based execution in browser

Persistence
• Deployment of RMM tools for remote access
• Connection to attacker-controlled C2 servers

Collection
• Device fingerprinting via tracking pixels
• Collection of user and system metadata

Defense Evasion
• Use of trusted n8n domains
• Blends malicious traffic with legitimate automation workflows

Threat Actor

Attribution:
• Unknown threat actors (no confirmed APT group yet)

However:
• Techniques align with cybercriminal groups leveraging legitimate SaaS platforms
• Focus on stealth, automation, and scalability

Impact

This technique introduces a new risk in cloud and SaaS environments:

• Bypasses traditional email security controls
• Enables stealthy malware delivery
• Allows persistent remote access via legitimate tools
• Increases phishing success rates due to trusted domains

Organizations may face:
• Endpoint compromise
• Data exfiltration
• Lateral movement داخل networks
• Long-term unauthorized access

Mitigation

Recommended actions:

Block or monitor n8n webhook domains where not required
Inspect email links pointing to automation platforms
Disable automatic image loading in email clients (prevents tracking)
Restrict unauthorized RMM tool usage via AppLocker or WDAC
Enable:
• Safe Links
• Safe Attachments
• Advanced email filtering
Monitor outbound traffic for suspicious connections

References
• https://thehackernews.com/2026/04/n8n-webhooks-abused-since-october-2025.html

• This topic was modified 2 weeks, 3 days ago by Rameses Quiambao.