n8n Webhooks Are Being Actively Weaponized to Deliver Malware and Conduct Stealthy Phishing Campaigns
Attackers Exploit Trusted Automation Platforms to Bypass Traditional Security Controls and Establish Persistent Remote Access
EXECUTIVE SUMMARY
Threat actors are actively abusing n8n, a widely used workflow automation platform, to launch advanced phishing campaigns and deliver malware.
Instead of relying on suspicious infrastructure, attackers are leveraging trusted cloud domains (*.app.n8n.cloud) to evade detection and increase success rates.
This marks a significant shift where legitimate productivity tools are being turned into covert attack delivery systems.
WHAT IS HAPPENING
How Attackers Are Exploiting n8n
n8n allows users to create automated workflows using webhooks, which act as endpoints that trigger actions when accessed.
Attackers are exploiting this feature by embedding webhook URLs inside phishing emails. When a victim clicks the link, the workflow executes automatically and delivers malicious content.
ATTACK TECHNIQUE BREAKDOWN
1. Phishing via Trusted Domains
Emails contain links that appear legitimate because they originate from n8n.cloud domains.
➡️ This helps attackers bypass:
- Email security filters
- Domain reputation checks
- User suspicion
2. Webhook-Triggered Malware Delivery
Once the victim clicks the link:
- A webpage loads (often disguised as a document or CAPTCHA)
- JavaScript executes silently
- Malware is downloaded from an external server
Because the process is initiated via n8n, the browser treats it as trusted activity
3. Payload Execution & Persistence
The delivered payload is typically:
- Executable (.exe) or MSI installer
- Often disguised as legitimate tools
Attackers deploy modified Remote Monitoring and Management (RMM) tools such as:
- Datto
- ITarian Endpoint Management
These tools are then used to:
- Maintain persistence
- Establish command-and-control (C2) access
- Control infected systems remotely
4. Device Fingerprinting via Tracking Pixels
In another variation, attackers embed invisible images (tracking pixels) in emails.
When the email is opened:
- The email client sends a request to the webhook
- Victim data is collected automatically
Captured data may include:
- Email address
- IP address
- Device/browser details
This enables attackers to profile targets before launching deeper attacks
WHY THIS IS DANGEROUS
Abuse of Legitimate Infrastructure
Since n8n is a trusted platform, security tools often do not flag its domains.
This creates a blind spot where:
- Malicious activity looks legitimate
- Detection becomes significantly harder
Automation at Scale
Attackers can automate:
- Phishing delivery
- Payload execution
- Victim tracking
As a result, campaigns become faster, scalable, and more effective
Increased Success Rate
Because the attack chain uses:
- Trusted domains
- Clean infrastructure
- Real automation logic
Users are far more likely to trust and interact with these links
ATTACK FLOW (SIMPLIFIED)
- Victim receives phishing email
- Clicks n8n webhook link
- Workflow executes automatically
- Malicious page loads (CAPTCHA or document lure)
- Payload is downloaded
- RMM tool establishes persistence
- Attacker gains remote access
DEFENSIVE MEASURES
Email & User Protection
- Treat even trusted domains with caution
- Avoid clicking unexpected “shared document” links
- Disable automatic image loading in email clients
Network & Endpoint Security
- Monitor outbound traffic to unusual webhook URLs
- Detect execution of unexpected MSI or EXE files
- Flag abnormal use of RMM tools
Detection & Monitoring
- Look for unusual HTTP requests triggered from email clients
- Monitor for JavaScript-based downloads from web pages
- Track installation of remote access tools outside IT processes