n8n Webhook Abuse Since October 2025: How Threat Actors Weaponized Cloud Workflows for Phishing and Malware Delivery
Since October 2025, cybersecurity researchers have observed a sharp increase in the abuse of cloud-based workflow automation platforms, particularly n8n, by threat actors. These attackers are leveraging exposed webhook URLs hosted on the *.app.n8n.cloud domain to orchestrate phishing campaigns, deliver malware payloads, and fingerprint victim devices.
Understanding the Attack Vector
n8n is a popular open-source workflow automation tool that allows users to connect applications and automate processes using webhooks. However, its flexibility and accessibility have also made it an attractive target for malicious actors.
According to threat intelligence reports from Cisco Talos, attackers are exploiting publicly accessible webhook endpoints to host phishing pages and dynamically deliver malicious content. These campaigns often rely on:
- Cloud-hosted phishing pages on trusted domains
- Webhook-triggered payload delivery mechanisms
- Device fingerprinting scripts to tailor attacks
- CAPTCHA-based evasion techniques
Phishing Campaign Mechanics
The attack chain typically begins with phishing emails that impersonate trusted organizations. Victims are directed to n8n-hosted pages, which appear legitimate due to their association with a known cloud service.
Once the victim lands on the page, a CAPTCHA challenge is often presented. This step serves two purposes:
- Bypass automated security scanners
- Validate that the visitor is a human target
After successful CAPTCHA completion, the workflow triggers a webhook that fetches a malicious payload tailored to the victim's environment.
Weaponization of RMM Tools
One of the most concerning aspects of these campaigns is the use of legitimate Remote Monitoring and Management (RMM) tools such as Datto and ITarian. Attackers modify these installers to establish persistent remote access on compromised systems.
By leveraging trusted software, attackers can:
- Avoid detection by traditional antivirus solutions
- Blend in with legitimate IT operations
- Maintain long-term persistence within target environments
Device Fingerprinting and Targeting
Advanced campaigns incorporate device fingerprinting techniques to collect information such as:
- Operating system and browser type
- Geolocation data
- Installed security tools
This data allows attackers to dynamically adjust payloads, increasing the success rate of infection. For example, users on corporate networks may receive different payloads compared to personal devices.
Spike in Webhook-Based Phishing Activity
Cisco Talos reports a significant surge in webhook-related phishing campaigns since late 2025. Key observations include:
- 300% increase in phishing URLs hosted on automation platforms
- Sharp rise in abuse of trusted cloud domains
- Increased use of CAPTCHA-based delivery mechanisms
This trend highlights a shift in attacker strategy—from traditional phishing infrastructure to leveraging legitimate SaaS platforms for increased credibility and resilience.
Why n8n is Being Targeted
Several factors make n8n an appealing platform for attackers:
- Ease of creating and deploying workflows
- Publicly accessible webhook endpoints
- Trusted cloud-hosted domain reputation
- Ability to dynamically modify payload delivery
Mitigation and Defensive Strategies
Organizations can reduce risk by implementing the following measures:
- Restrict access to webhook endpoints using authentication
- Monitor outbound traffic to suspicious cloud domains
- Educate users about phishing tactics involving trusted platforms
- Deploy endpoint detection and response (EDR) solutions
- Block unauthorized RMM tool installations
Security teams should also adopt threat intelligence feeds to detect emerging patterns in webhook-based attacks and automation platform abuse.
NeuraCyb's Assessment
The abuse of n8n webhooks marks a significant evolution in phishing and malware delivery tactics. By leveraging trusted cloud infrastructure, attackers are bypassing traditional defenses and increasing their success rates. As automation platforms continue to grow in popularity, securing these environments will become a critical priority for organizations worldwide.
Reference Links and Sources
