Hacking

n8n Webhook Abuse: How Attackers Turn Automation into Phishing

Published  ·  6 min read

n8n webhook abuse

A popular open-source workflow automation platform is being turned against its users. Threat actors have discovered how to abuse n8n, a tool designed to connect apps, APIs, and AI services to deliver malware and track victims through phishing emails.

According to a new report from Cisco Talos, attackers are leveraging n8n’s webhook feature to bypass traditional email security filters. The webhooks run on trusted subdomains to make it seem like the malicious links are legitimate, thereby increasing the odds of getting recipients to click on the links. 

Abuse of n8n Webhooks

n8n allows users to set up automated workflows based on incoming data via webhook URLs which are unique to each user; thus, n8n’s webhook feature has been abused by cybercriminals for their own purposes.

Cybercriminals have been leveraging the n8n webhook feature to conduct phishing attacks. Since October 2025, attackers have sent phishing emails containing embedded n8n webhook links that lead the victim to an HTTPS page requesting completion of a CAPTCHA.

When the user clicks on the n8n webhook URL, the following occurs:

1.  The victim is taken to a web page that contains a CAPTCHA.
2.  When the CAPTCHA is completed, a malicious payload (most commonly an executable or MSI) is downloaded by the victim’s computer.
3.  The malicious payload will then install modified versions of legitimate Remote Monitoring and Management tools (e.g., Datto or ITarian) to allow ongoing control/access to the victim’s computer.

Because all steps above take place as a result of the execution of JavaScript hosted on the n8n domain, the malware appears as though it came from n8n and are thus successful in circumventing numerous security solutions.

A Second Dangerous Use: Device Fingerprinting

Another potential malicious usage of n8n is to create a device fingerprinting. Attackers can use hidden image tracking pixels inside email, which will be executed by visiting the n8n webhook when the email recipient opens the email. This then sends an HTTP request from the recipient's device to the n8n webhook which then captures the emailing person's device IP address, email client and any additional helpful data used by the attacker.

According to Cisco Talos, they reported a 686% increase in the number of email messages sent with n8n webhooks URL from January 2025 to March 2026; therefore, this is a quickly growing technique used by attackers.

Why This Attack Is Effective

The reason this attack method is strong is because it has both simplicity and legitimacy. For example:
1. As per n8n, it is a widely used and trusted automation tool.
2. The n8n webhook has a trusted subdomain affiliation.
3. The execution of an n8n webhook is relatively non-technical; therefore, the threat will be a single click with a CAPTCHA confirmation.
4. The device fingerprint is delivered as a sophisticated payload while also maintaining plausible deniability.

Once n8n is on the compromised device, it will establish persistence, allow the harvesting of credentials, and enable remote access to the device.

How to Protect Yourself and Your Organization

Right now, here are some things you can do to help:

1. Be extremely careful of unexpected emails with links to documents or files shared.
2. Do not click on links in unsolicited emails, even if they appear professionally created.
3. To limit the ability to track pixels from loading, disable automatic image loading in your email application.
4. Use advanced email security tools to detect abnormal webhook URLs and abnormal JavaScript behavior.
5. After clicking on an email link, watch for whether there have been any suspicious executable or installer downloads.
6. Train your staff to recognize social engineering tactics that attempt to create urgency around "Important Documents".

For organizations that legitimately use n8n:

1. Limit and evaluate webhook activity.
2. Watch webhooks for abnormal volume or source.
3. Consider establishing more restrictive access laws for automation workflows.

Conclusions

An alarming pattern has emerged with the misuse of n8n, where attackers are taking advantage of lawful productivity and automation solutions to embed malware into their operations through these solutions. What should have been a tool to improve productivity and save time has been exploited by attackers to be productive and execute their operations on a broader basis than ever before.

Given the growing suite of these tools, security teams should implement the same diligence when using AI Workflow tools as they do when using any other Internet Foo.  Awareness, correct configuration and email security are your primary protection methodologies in combating this new and emerging threat landscape.

FAQ Section

Q1. What is n8n? 
N8N is a free open-source tool that helps you to automatically connect various applications, APIs, and Artificial Intelligence services together through your PC and/or other devices to help automate repetitive tasks you perform on those devices.

Q2. How are malicious actors misusing n8n? 
Cybercriminals are creating fake malicious webhook URLs on trusted subdomain names (example: "mail.n8n.io", "web.n8n.io") of n8n as a way to deliver malware to users’ computers and track whether users have opened emails by sending requests to those webhook URLs when emails are opened.

Q3. What are the purposes of n8n phishing campaigns? 
The main purpose of these phishing campaigns is to deliver Remote Monitoring and Management (RMM) tools that provide continued access to the infected user’s PC, as well as to create a fingerprint that will allow attackers to target infected devices for future attacks.

Q4. What can I do to protect myself from n8n webhook attacks? 
BE AWARE of clicking on any links contained in unsolicited emails. Disable the automatic downloading of images in your email client. Use email security solutions that go beyond traditional methods of detection (e.g., use of DKIM and SPF records and domain reputation checks).

Q5. Is n8n being utilized for malicious purposes? 
NO. N8N is not classified as a malicious tool. However, many hackers use the publicly available webhook feature of n8n as a means to distribute malware.

Source: The Hacker News

Professional Services

Explore Our Cybersecurity Services

Our insights are backed by hands-on service delivery. If your business needs professional cybersecurity support, our UK-based specialists are ready to help.

© 2016 – 2026 Red Secure Tech Ltd. Registered in England and Wales — Company No: 15581067