Summary

The article discusses the exploitation of n8n, an AI workflow automation platform, by threat actors since October 2025. These actors have been using n8n webhooks to conduct phishing campaigns and deliver malware via automated emails.

Key Points

• n8n, a workflow automation platform, is being abused by threat actors.
• The exploitation began in October 2025.
• Attackers use n8n webhooks to send phishing emails and deliver malicious payloads.
• The method allows attackers to bypass traditional security filters by leveraging trusted infrastructure.
• The attacks also involve device fingerprinting to gather more information about targets.

Analysis

The exploitation of n8n webhooks represents a significant threat as it utilizes a trusted platform to bypass security measures. This tactic highlights the increasing sophistication of phishing campaigns, where attackers exploit legitimate services to enhance the credibility of their attacks. The ability to fingerprint devices further increases the threat level by potentially allowing attackers to tailor their payloads or subsequent attacks.

Conclusion

IT professionals should be aware of the potential misuse of legitimate platforms like n8n in phishing campaigns. It is recommended to enhance email security measures and monitor for unusual activities involving workflow automation tools to mitigate such threats.