{"id":611,"date":"2026-04-15T18:07:43","date_gmt":"2026-04-15T18:07:43","guid":{"rendered":"https:\/\/thedigitalfortress.us\/?p=611"},"modified":"2026-04-15T18:07:43","modified_gmt":"2026-04-15T18:07:43","slug":"n8n-webhooks-abused-since-october-2025-to-deliver-malware-via-phishing-emails","status":"publish","type":"post","link":"https:\/\/thedigitalfortress.us\/?p=611","title":{"rendered":"n8n Webhooks Abused Since October 2025 to Deliver Malware via Phishing Emails"},"content":{"rendered":"
\n

\ue804<\/i>Ravie Lakshmanan<\/span>\ue802<\/i>Apr 15, 2026<\/span><\/span>Threat Intelligence \/ Cloud Security<\/span><\/p>\n<\/div>\n

\n
<\/a><\/div>\n

Threat actors\u00a0have been\u00a0observed weaponizing n8n, a popular artificial intelligence (AI) workflow automation platform, to facilitate sophisticated phishing campaigns and deliver malicious payloads or fingerprint devices by sending automated\u00a0emails.<\/p>\n

\u00abBy leveraging trusted infrastructure, these attackers bypass traditional security filters, turning productivity tools into delivery vehicles for persistent remote\u00a0access,\u00bb Cisco Talos researchers Sean Gallagher and Omid\u00a0Mirzaei said<\/a> in an analysis published\u00a0today.<\/p>\n

N8n is a workflow automation platform that allows users to connect various web applications, APIs, and AI model services to sync data, build agentic systems, and run repetitive rule-based\u00a0tasks.<\/p>\n

Users can register for a developer account at no extra cost\u00a0to avail a managed cloud-hosted service and run automation workflows\u00a0without having to set up their own infrastructure.Doing so, however, creates\u00a0a unique custom\u00a0domain that goes\u00a0by the\u00a0format\u00a0\u2013 .app.n8n.cloud \u2013 from where a user can access their applications.<\/account><\/p>\n

\n
\"Cybersecurity\"<\/a><\/div>\n<\/div>\n

The platform also\u00a0supports the ability\u00a0to create\u00a0webhooks<\/a> to receive data from apps and services\u00a0when certain events are triggered.Thismakes it possible to\u00a0initiate a\u00a0workflow after\u00a0receiving certain\u00a0data.The data,\u00a0in this case, is sent via a unique webhook\u00a0URL.<\/p>\n

<\/p>\n

According to Cisco\u00a0Talos, it’s these URL-exposed webhooks \u2013 which make use of the same *.app.n8n[.]cloud subdomain \u2013 that has been abused in phishing attacks as far back as October\u00a02025.<\/p>\n

\u00abA webhook, often referred to as\u00a0a\u00a0‘reverse\u00a0API,’ allows one application to provide real-time information to another. These\u00a0URLs register an application as\u00a0a\u00a0‘listener’ to receive data, which can include programmatically pulled HTML\u00a0content,\u00bb Talos explained.<\/p>\n

\"\"<\/a><\/div>\n

\u00abWhen the URL receives a request, the subsequent workflow steps are triggered, returning results as an HTTP data stream to the requesting application. If\u00a0the URL is accessed via email, the recipient’s browser acts as the receiving application, processing the output as a web\u00a0page.\u00bb<\/p>\n

What\u00a0makes this significant is that it opens a new door for threat actors to propagate malware while maintaining a veneer of legitimacy by giving the impression that they are originating from a trusted\u00a0domain.<\/p>\n

Threat\u00a0actors have wasted no time taking advantage of the behavior to set up n8n webhook URLs for malware delivery and device fingerprinting. The\u00a0volume of email messages containing these URLs in March 2026 is said to have been about 686% higher than in January\u00a02025.<\/p>\n

In\u00a0one campaign observed by Talos, threat actors have been found to embed an n8n-hosted webhook link in emails that claimed to be a shared document. Clicking the link takes the user to a web page that displays a CAPTCHA, which, upon completion, activates the download of a malicious payload from an external\u00a0host.<\/p>\n

\u00abBecause the entire process is encapsulated within the JavaScript of the HTML document, the download appears to the browser to have come from the n8n domain,\u00bb the researchers\u00a0noted.<\/p>\n

\n
\"Cybersecurity\"<\/a><\/div>\n<\/div>\n

The\u00a0end goal of the attack is to deliver an executable or an MSI installer that serves as a conduit for modified versions of legitimate Remote Monitoring and Management (RMM) tools like Datto and ITarian Endpoint Management, and use them to establish persistence by establishing a connection to a command-and-control (C2)\u00a0server.<\/p>\n

A\u00a0second prevalent case concerns the abuse of n8n for fingerprinting. Specifically, this entails embedding in emails an invisible image or tracking pixel that’s hosted on an n8n webhook URL. As\u00a0soon as the digital missive is opened via an email client, it automatically sends an HTTP GET request to the n8n URL along with tracking parameters, like the victim’s email address, thereby enabling the attackers to identify\u00a0them.<\/p>\n

\u00abThe same workflows designed to save developers hours of manual labor are now being repurposed to automate the delivery of malware and fingerprinting devices due to their flexibility, ease of integration, and seamless automation,\u00bb Talos said. \u00abAs we continue to leverage the power of low-code automation, it\u2019s the responsibility of security teams to ensure these platforms and tools remain assets rather than liabilities.\u00bb<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

\ue804Ravie Lakshmanan\ue802Apr 15, 2026Threat Intelligence \/ Cloud Security Threat actors\u00a0have been\u00a0observed weaponizing n8n, a popular artificial intelligence (AI) workflow automation platform, to facilitate sophisticated phishing campaigns and deliver malicious payloads…<\/p>\n","protected":false},"author":1,"featured_media":612,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[1233,529,625,42,602,1234,390,1232],"class_list":["post-611","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-abused","tag-deliver","tag-emails","tag-malware","tag-n8n","tag-october","tag-phishing","tag-webhooks"],"_links":{"self":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/611","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=611"}],"version-history":[{"count":0,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/611\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/media\/612"}],"wp:attachment":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=611"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=611"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=611"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}