Cloud-based automation platform n8n has become the latest legitimate service to be systematically abused in large-scale phishing campaigns. According to research from Cisco Talos, threat actors are leveraging n8n’s webhook infrastructure to send convincing phishing emails, deliver malware, and silently collect information about recipients’ devices, while riding on the trusted reputation of the app.n8n.cloud domain.
What is n8n and why cybercriminals are targeting low-code automation
n8n is a popular low-code/no-code workflow automation platform. It allows users to visually connect web services, APIs and AI models, orchestrate agent-like systems, and automate repetitive tasks without extensive programming. The vendor offers a managed cloud service where each customer receives an instance at a subdomain such as <account-name>.app.n8n.cloud to run their workflows.
The feature most attractive to attackers is n8n webhooks. A webhook is essentially a reverse API endpoint: an externally accessible URL that, when called, triggers a workflow and returns an HTTP response. If that response contains HTML, a user’s browser will treat it as a normal web page. This makes n8n a convenient, flexible hosting layer for dynamic phishing content that appears to originate from a legitimate SaaS domain.
Phishing campaigns abusing n8n webhooks to evade email security
Cisco Talos observed public webhook URLs on *.app.n8n.cloud being used in phishing operations since at least October 2025. Because traffic flows through a trusted SaaS infrastructure, many reputation-based spam filters and secure email gateways are more likely to allow these messages through, assuming they are benign business automation traffic.
The researchers recorded a sharp increase in such abuse: emails containing n8n webhook URLs in March 2026 were reported to be approximately 686% higher than in January 2025. This growth suggests that multiple phishing groups have standardized on n8n as an infrastructure component, similar to how they already abuse services like Google Docs, Dropbox and Microsoft 365 to host phishing pages.
Malware delivery via fake document sharing and CAPTCHA pages
In one prominent campaign, adversaries sent emails posing as notifications about shared business documents. The body of the message contained a link to an n8n webhook. When victims clicked the link, they were shown a web page with a seemingly legitimate CAPTCHA challenge, ostensibly to “verify” they were human.
Completing the CAPTCHA triggered JavaScript embedded in the HTML served by n8n. In the background, this script downloaded a malicious file from an external server. Because the entire interaction occurred through a page delivered from app.n8n.cloud, network and email security tools often saw only legitimate SaaS traffic and did not immediately flag it as suspicious.
The final payloads in these attacks frequently consisted of executable files or MSI installers that deployed modified versions of legitimate Remote Monitoring and Management (RMM) tools, including Datto and ITarian Endpoint Management. Once installed, these RMM agents provided attackers with persistent remote access over seemingly legitimate channels, enabling command-and-control (C2), lateral movement and long-term surveillance under the guise of IT administration.
Device fingerprinting and tracking pixels powered by n8n webhooks
A second, quieter use case identified by Cisco Talos involved device fingerprinting and user tracking rather than immediate malware delivery. Attackers embedded an invisible tracking pixel—a 1×1 image—referenced via an n8n webhook URL directly in the email body.
When a recipient opened the email, the client automatically performed an HTTP GET request to the webhook URL to load the “image”. Along with standard headers, the request often carried tracking parameters such as the recipient’s email address and metadata about the mail client or operating system. This enabled attackers to confirm that an inbox was active, measure engagement, and build profiles of target environments, which could then be used to prioritize high‑value victims for follow-on phishing or ransomware attacks.
Security risks of low-code SaaS platforms and practical defenses
The abuse of n8n webhooks illustrates a broader trend: low-code and no-code platforms, designed to simplify integration and boost productivity, are increasingly co‑opted by threat actors as stealthy delivery channels. Their strong domain reputation, flexible integration with email and APIs, and ability to serve dynamic content make them attractive staging grounds for phishing, malware distribution and covert tracking.
Organizations that rely heavily on cloud automation and SaaS should consider the following defensive measures:
- Enhance URL analysis in email security: inspect and, where feasible, detonate links pointing to legitimate SaaS domains (including app.n8n.cloud), following redirects and rendering HTML to uncover hidden scripts, downloads and RMM installers.
- Sandbox suspicious HTML content: execute HTML attachments and web content in isolated sandboxes to detect dynamic behaviors such as drive‑by downloads or unexpected API calls.
- Restrict remote image loading: configure corporate email clients to block automatic loading of external images and tracking pixels by default, especially for messages from untrusted senders.
- Monitor endpoint behavior around RMM tools: use EDR or behavioral analytics to flag unusual installation or use of remote administration software, creation of new services, or outbound connections to unknown management servers.
- Harden SaaS and automation governance: maintain an inventory of approved automation platforms, apply least-privilege access, and regularly review workflows and webhooks exposed to the internet.
- Invest in phishing awareness training: educate employees that links to well-known cloud services can still be malicious, and that unexpected “document sharing” emails or CAPTCHA prompts warrant extra scrutiny.
As low-code, no-code and AI-driven automation platforms become embedded in business processes, their security posture and abuse potential must be treated as a first‑class risk. The same tools that save developers and IT teams hours of work can, without proper controls, provide criminals with industrial‑scale infrastructure for phishing and covert access. Organizations that revisit their trust assumptions about cloud services, strengthen monitoring of automation workflows, and align defenses with a zero‑trust mindset will be far better positioned to detect and disrupt campaigns that abuse platforms like n8n.
