Threat actors have been observed weaponizing n8n, a popular artificial intelligence (AI) workflow automation platform, to facilitate sophisticated phishing campaigns and deliver malicious payloads or fingerprint devices by sending automated emails.
By leveraging trusted infrastructure, these attackers bypass traditional security filters, turning productivity tools into delivery vehicles for persistent remote access.
N8n is a workflow automation platform that allows users to connect various web applications, APIs, and AI model services to sync data, build agentic systems, and run repetitive rule-based tasks. Users can register for a developer account at no extra cost to avail a managed cloud-hosted service and run automation workflows without having to set up their own infrastructure. Doing so creates a unique custom domain in the format <account name>.app.n8n.cloud, from where a user can access their applications. The platform also supports the ability to create webhooks to receive data from apps and services when certain events are triggered, making it possible to initiate a workflow after receiving certain data via a unique webhook URL.
According to Cisco Talos, it's these URL-exposed webhooks – which make use of the same *.app.n8n.cloud subdomain – that have been abused in phishing attacks as far back as October 2025.
A webhook, often referred to as a 'reverse API,' allows one application to provide real-time information to another. These URLs register an application as a 'listener' to receive data, which can include programmatically pulled HTML content. When the URL receives a request, the subsequent workflow steps are triggered, returning results as an HTTP data stream to the requesting application. If the URL is accessed via email, the recipient's browser acts as the receiving application, processing the output as a web page.
Threat actors have wasted no time taking advantage of this behavior to set up n8n webhook URLs for malware delivery and device fingerprinting. The volume of email messages containing these URLs in March 2026 is said to have been about 686% higher than in January 2025.
In one campaign observed by Talos, threat actors have been found to embed an n8n-hosted webhook link in emails that claimed to be a shared document. Clicking the link takes the user to a web page that displays a CAPTCHA, which, upon completion, activates the download of a malicious payload from an external host. Because the entire process is encapsulated within the JavaScript of the HTML document, the download appears to the browser to have come from the n8n domain.
The end goal of the attack is to deliver an executable or an MSI installer that serves as a conduit for modified versions of legitimate Remote Monitoring and Management (RMM) tools like Datto and ITarian Endpoint Management, and use them to establish persistence by connecting to a command-and-control (C2) server.
A second prevalent case concerns the abuse of n8n for fingerprinting. Specifically, this entails embedding an invisible image or tracking pixel hosted on an n8n webhook URL in emails. As soon as the email is opened via an email client, it automatically sends an HTTP GET request to the n8n URL along with tracking parameters, like the victim's email address, thereby enabling the attackers to identify them.
The same workflows designed to save developers hours of manual labor are now being repurposed to automate the delivery of malware and fingerprinting devices due to their flexibility, ease of integration, and seamless automation. As we continue to leverage the power of low-code automation, it’s the responsibility of security teams to ensure these platforms and tools remain assets rather than liabilities.
