n8n Webhooks Deliver Malware in Phishing Campaigns

Cisco Talos uncovered sustained misuse of the n8n workflow automation platform, showing threat actors creating developer-hosted endpoints on tti.app.n8n.cloud and using those endpoints to send automated phishing emails that deliver malicious payloads or fingerprint devices. The timeline runs from October 2025 through March 2026, and researchers observed the abuse emerging in multiple campaigns that leverage n8n's legitimate automation features to evade conventional detection. "By leveraging trusted infrastructure, these attackers bypass traditional security filters, turning productivity tools into delivery vehicles for persistent remote access," Cisco Talos wrote.

The abuse relies on n8n's normal feature set: account creation yields a subdomain, workflows can call webhooks and integrate with external APIs, and hosted services allow unauthenticated or poorly monitored endpoints. Key mechanics observed include:

• •Creating free developer or trial accounts that provision subdomains under tti.app.n8n.cloud
• •Configuring workflows to send bulk or targeted emails using the platform's email or webhook capabilities
• •Hosting payloads or redirectors on the provisioned subdomain to avoid reputation-based blocking
• •Using automation to fingerprint victim environments before delivering a final payload

These behaviors give attackers the operational benefit of trusted TLS certificates and good domain reputation, which reduces the chance that email gateways or URL scanners will flag the messages. Cisco Talos documented specific examples and behavioral indicators that defenders can monitor in network and email telemetry.

This is the latest example in a broader trend where legitimate productivity and low-code platforms such as Zapier and Softr.io are weaponized for phishing and malware delivery. Security teams increasingly face adversaries who abuse third-party SaaS infra to blend malicious activity with benign traffic. For defenders this changes assumptions: allowlisting vendor domains or IP ranges is no longer a full defense because abused accounts create low-friction, high-reputation delivery channels. The move also underscores how agentic AI features in modern automation platforms expand attacker capability to orchestrate personalized, automated campaigns at scale.

Monitor for unusual account provisioning, spikes in outbound email activity originating from workflow subdomains, and any redirects hosted on tti.app.n8n.cloud. Vendors and enterprises should expect additional disclosures and possibly mitigations from n8n, and defenders should update detection rules and threat hunting playbooks to include workflow automation telemetry. Practical mitigations include tightening registration controls, enforcing multi-factor authentication and billing validation, blocking or scrutinizing third-party subdomains in high-risk contexts, and integrating webhook behavior into DLP and email-gateway policies.