- Threat actors are weaponizing the popular AI workflow automation platform n8n to conduct phishing campaigns.
- Abused webhook URLs, using *.app.n8n.cloud subdomains, facilitate malware delivery and device fingerprinting.
- Email traffic containing these malicious n8n URLs surged approximately 686% between January 2025 and March 2026.
In sophisticated phishing campaigns observed since October 2025, threat actors have weaponized the trusted infrastructure of the AI workflow automation platform n8n to deliver malicious payloads. The attacks, documented by Cisco Talos researchers Sean Gallagher and Omid Mirzaei in an analysis published April 15, 2026, leverage the platform’s webhook functionality to bypass traditional security filters.
The automation platform allows users to create webhooks for receiving data, generating unique URLs on *.app.n8n.cloud subdomains. Consequently, attackers have abused these exposed webhook URLs to host phishing pages and tracking pixels, as detailed in their analysis.
When a victim clicks a link in a malicious email, their browser processes the output from the n8n domain as a webpage. This mechanism provides a veneer of legitimacy, making malicious downloads appear to originate from the trusted automation service.
In one campaign, clicking a link leads to a CAPTCHA page that then triggers the download of a malicious executable. The payload often serves as a conduit for modified versions of legitimate Remote Monitoring and Management tools like Datto and ITarian Endpoint Management.
Another prevalent abuse case involves embedding invisible tracking pixels hosted on n8n webhooks within emails. Consequently, opening the email automatically sends an HTTP GET request to fingerprint the victim’s device and identify their email address.
The researchers noted the volume of emails containing these weaponized URLs in March 2026 was about 686% higher than in January 2025. “Because the entire process is encapsulated within the JavaScript of the HTML document, the download appears to the browser to have come from the n8n domain,” the researchers noted.
“As we continue to leverage the power of low-code automation, it’s the responsibility of security teams to ensure these platforms and tools remain assets rather than liabilities,” Talos concluded. Meanwhile, the trend highlights how productivity tools can be repurposed into vectors for persistent remote access.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
