n8n Webhooks Abused Since October 2025 to Deliver Malware via Phishing Emails

Key Points:

• Threat actors are exploiting n8n, an AI workflow automation platform, to conduct sophisticated phishing campaigns and deliver malware by sending automated emails through webhook URLs hosted on trusted n8n domains.
• Attackers use n8n's webhook functionality to bypass traditional security filters, making malicious payloads appear as if they originate from legitimate, trusted domains, significantly increasing the success rate of their attacks.
• Since October 2025, there has been a sharp rise in phishing emails containing n8n webhook URLs, with a 686% increase in March 2026 compared to January 2025, indicating widespread abuse of the platform.
• One attack method involves tricking users into completing CAPTCHAs on fake shared document pages, which then trigger the download of malware disguised as legitimate Remote Monitoring and Management tools to maintain persistence via command-and-control servers.
• Another tactic uses invisible tracking pixels hosted on n8n webhook URLs embedded in emails to fingerprint and identify victims when the email is opened, highlighting the dual use of n8n workflows for both malware delivery and reconnaissance.