Abused n8n Webhooks Facilitate Automated Malware Delivery Since 2025

Overview of n8n Webhook Abuse

Threat actors have been observed weaponizing n8n, a prominent artificial intelligence (AI) workflow automation platform, to orchestrate sophisticated Phishing campaigns. According to The Hacker News, this activity has been tracked since October 2025. The core of the campaign involves the abuse of n8n webhooks to automate the delivery of malicious payloads and facilitate device fingerprinting. By utilizing the legitimate infrastructure provided by such platforms, attackers effectively bypass traditional security filters that often grant higher reputation scores to traffic originating from well-known automation services.

Technical Analysis: Weaponizing AI Workflow Automation

The exploitation involves the creation of automated workflows that are triggered by incoming HTTP requests to a webhook URL. When a specific event is logged, the n8n workflow executes a series of pre-defined actions, such as generating an email with a malicious attachment or a link to a compromised site. This method is particularly effective because the TTP shifts the origin of the attack from known-bad infrastructure to the user’s or a third-party’s legitimate n8n instance.

n8n AI Workflow Automation Security and Payload Delivery

Security researchers have noted that these workflows are capable of more than simple email distribution. The automation can be configured to perform device fingerprinting by capturing headers and IP information from the victim’s interaction with the webhook-driven content. This data is then sent back to an attacker-controlled C2 server, allowing the threat actor to tailor subsequent stages of the attack based on the victim’s operating system, browser, and network environment.

Because n8n is often integrated with internal services (such as Slack, Google Workspace, or databases), a compromised or poorly secured instance could serve as a beachhead for further exploitation. The ability to trigger workflows via public webhooks without stringent authentication provides a low-friction entry point for attackers to utilize the platform’s native capabilities for malice.

Impact and Attribution

While specific attribution to a known threat group has not been confirmed in the source material, the campaign reflects a broader trend of leveraging “Living off Trusted Services” (LoTS). This strategy complicates the work of the SOC because the traffic patterns closely resemble legitimate business automation. The primary impact includes the successful delivery of malware through automated emails that appear to originate from trusted internal or partner systems. The persistent nature of this abuse since late 2025 suggests that attackers have found a reliable method for circumventing automated email gateway protections.

Mitigation and Detection Strategies

When investigating how to detect n8n webhook abuse, analysts should monitor for unusual spikes in webhook activity or workflows that originate from unfamiliar external IP addresses. Establishing a baseline of normal automation behavior is essential for identifying anomalies that could indicate an active campaign.

To ensure preventing malicious webhook exploitation, organizations should prioritize the following defensive measures:

• Restrict Webhook Access: Use IP whitelisting or firewall rules to ensure that only trusted services or known IP ranges can trigger n8n webhooks.
• Workflow Auditing: Regularly audit all active workflows within the platform to identify unauthorized or suspicious configurations, particularly those that involve SMTP nodes or external HTTP requests.
• Authentication Enforcement: Implement basic authentication or header-based verification for all public-facing webhooks to prevent unauthorized external triggers.
• Monitor Outbound Traffic: Track outbound connections from the n8n host to identify communication with known-malicious IoC endpoints or unauthorized data exfiltration patterns.

Maintaining rigorous n8n AI workflow automation security requires a proactive approach to auditing how automation tools interact with the public internet. Organizations should treat automation platforms as high-value targets due to their extensive permissions and integration with sensitive business data.