n8n Webhooks Abused Since October 2025 to Deliver Malware via Phishing Emails

Threat actors are exploiting n8n, a legitimate AI workflow automation platform, to conduct sophisticated phishing campaigns since October 2025. By weaponizing trusted infrastructure, attackers bypass traditional security filters to deliver malicious payloads and fingerprint victim devices through automated emails. This technique leverages the credibility of established platforms to evade detection, making phishing attempts appear more legitimate. Organizations should monitor for suspicious n8n workflow executions, implement email filtering rules that flag automated messages from workflow tools, and educate users about phishing emails using trusted platform lures. Security teams should verify the legitimacy of automated communications and consider blocking or scrutinizing emails originating from automation platforms.

Threat actors have been observed weaponizing n8n, a popular artificial intelligence (AI) workflow automation platform, to facilitate sophisticated phishing campaigns and deliver malicious payloads or fingerprint devices by sending automated emails. "By leveraging trusted infrastructure, these attackers bypass traditional security filters, turning productivity tools into delivery

Threat actors are exploiting n8n, a legitimate AI workflow automation platform, to conduct sophisticated phishing campaigns since October 2025. By weaponizing trusted infrastructure, attackers bypass traditional security filters to deliver malicious payloads and fingerprint victim devices through automated emails. This technique leverages the credibility of established platforms to evade detection, making phishing attempts appear more legitimate. Organizations should monitor for suspicious n8n workflow executions, implement email filtering rules that flag automated messages from workflow tools, and educate users about phishing emails using trusted platform lures. Security teams should verify the legitimacy of automated communications and consider blocking or scrutinizing emails originating from automation platforms. Threat actors have been observed weaponizing n8n, a popular artificial intelligence (AI) workflow automation platform, to facilitate sophisticated phishing campaigns and deliver malicious payloads or fingerprint devices by sending automated emails. "By leveraging trusted infrastructure, these attackers bypass traditional security filters, turning productivity tools into delivery Threat actors have been observed weaponizing n8n, a popular artificial intelligence (AI) workflow automation platform, to facilitate sophisticated phishing campaigns and deliver malicious payloads or fingerprint devices by sending automated emails. "By leveraging trusted infrastructure, these attackers bypass traditional security filters, turning productivity tools into delivery