N8n Webhooks Exploited From October 2025 to Deliver Malware via Phishing Emails
Threat actors have been seen leveraging n8n, an artificial intelligence (AI) platform for automated workflows, to facilitate phishing campaigns and deliver malicious payloads or fingerprints by sending automated emails.
“Using a trusted infrastructure, these attackers bypass traditional security filters, turning production tools into continuous delivery vehicles for remote access,” said Cisco Talos researchers Sean Gallagher and Omid Mirzaei in an analysis published today.
N8n is a workflow automation platform that allows users to connect various web applications, APIs, and AI model services to synchronize data, build agent systems, and perform repetitive rules-based tasks.
Users can sign up for a developer account at no extra cost to get a cloud-managed service and run automated workflows without stopping their infrastructure. Doing so, however, creates a separate custom domain that goes in the format –
The platform also supports the ability to create webhooks to receive data from applications and services when certain events are triggered. This makes it possible to start a workflow after receiving certain data. The data, in this case, is sent via a unique webhook URL.
According to Cisco Talos, these are the URL exposed webhooks – they use the same *.app.n8n[.]cloud site – which has been victimized by phishing attacks since October 2025.
“A webhook, often called a ‘reverse API,’ allows one application to provide real-time information to another. These URLs register the application as a ‘listener’ to receive data, which can include dynamically pulled HTML content,” explains Talos.
“When a URL receives a request, the next steps in the workflow are initiated, returning the results as an HTTP data stream to the requesting application. When the URL is accessed via email, the recipient’s browser acts as the receiving application, processing the output as a web page.”
What makes this stand out is that it opens a new door for malicious actors to spread malware while maintaining a legitimate appearance by giving the impression that they are coming from a trusted domain.
Threat actors wasted no time in exploiting the behavior to set up n8n webhook URLs for malware delivery and device fingerprinting. The volume of email messages containing these URLs in March 2026 was said to be about 686% higher than in January 2025.
In one campaign seen by Talos, malicious actors were found to be embedding a webhook link hosted by n8n in emails claiming to be a shared document. Clicking the link takes the user to a web page that displays a CAPTCHA, which, when completed, activates the download of a malicious payload to an external host.
“Because the entire process is encapsulated within the HTML document’s JavaScript, the download appears in the browser to be from the n8n domain,” the researchers noted.
The ultimate goal of the attack is to deliver an executable or MSI installer that acts as a conduit for modified versions of official Remote Monitoring and Management (RMM) tools such as Datto and ITarian Endpoint Management, and use them to establish persistence by establishing a connection to the command and control server (C2).
The second most popular case is about the abuse of n8n by fingerprinting. Specifically, this includes embedding in emails an invisible image or tracking pixel hosted on the n8n web URL. As soon as the digital missive is opened through an email client, it automatically sends an HTTP GET request to the n8n URL and tracking parameters, such as the victim’s email address, thus allowing the attackers to identify them.
“The same workflow designed to save hours of manual developer work is now being repurposed to automate the delivery of malware and fingerprinting devices because of its flexibility, ease of integration, and seamless automation,” Talos said. “As we continue to leverage the power of low-code automation, it is the responsibility of security teams to ensure that these platforms and tools remain assets rather than liabilities.”
