THREAT actors have been observed weaponising n8n, a popular AI workflow automation platform, to enable sophisticated phishing campaigns and deliver malicious payloads or fingerprint devices by sending automated emails, according to Cisco Talos researchers Sean Gallagher and Omid Mirzaei. The researchers note that threat actors exploit URL-exposed webhooks that share the same *.app.n8n[.]cloud subdomain to give emails the veneer of legitimacy from a trusted domain.
They report that the volume of emails containing these URLs in March 2026 was about 686% higher than in January 2025. In one campaign, an n8n-hosted webhook link was embedded in emails claiming to be a shared document; clicking the link leads to a CAPTCHA page, and completion triggers a download of a malicious payload from an external host.
The end goal is to deliver an executable or MSI installer to deploy modified Remote Monitoring and Management tools and establish persistence via a command-and-control server, while another variant uses an invisible tracking pixel to harvest recipient data. The findings underscore how low-code automation platforms can be repurposed to automate malware delivery and fingerprinting, raising calls for security teams to treat these tools as assets rather than liabilities.