n8n Webhooks Abused Since October 2025 to Deliver Malware via Phishing Emails
Summary
Threat actors are exploiting n8n, an AI workflow automation platform, to conduct phishing campaigns and deliver malware. By using n8n, attackers can bypass traditional security filters and leverage trusted infrastructure to deliver malicious payloads or fingerprint devices via automated emails.
IFF Assessment
FOE
Attackers are weaponizing a legitimate tool to bypass defenses, indicating a new attack vector that defenders must be aware of.
Defender Context
This highlights the growing trend of attackers abusing legitimate software and cloud services to bypass security controls. Defenders should monitor for unusual activity originating from workflow automation tools and focus on advanced email filtering and endpoint detection capabilities.