Since late 2025, attackers have integrated n8n webhooks into their email campaigns. These URLs, originally designed as 'ears' to connect applications (like Slack or Gmail), are being repurposed as vehicles for dynamic attacks.
By leveraging a trusted platform, the attackers manage to:
Bypass security filters: Emails are not blocked because they contain links to legitimate cloud services.
Execute dynamic content: Unlike static links, webhooks allow the attacker to change the payload (payload) in real-time based on who clicks it.
Faking malware downloads with CAPTCHA:
Detectable campaigns simulated OneDrive shared folders. When a user clicked the n8n link, they were presented with a CAPTCHA to filter security scanners. After solving it, an executable was downloaded that installed remote administration tools (RAT) and executed malicious scripts in PowerShell.
Infection via modified MSI files:
On other occasions, webhooks delivered Windows installation files (.MSI) containing a 'backdoor'. Upon execution with msiexec.exe, the system allowed silent exfiltration of sensitive data.
Device Fingerprinting:
The attackers use n8n workflows to collect technical metadata from victims (operating system, browser, IP). This phase of reconnaissance enables them to tailor subsequent attacks, ensuring that the malware sent is compatible with the target's system.
The problem lies in the 'implicit trust'. Businesses often allow traffic towards productivity tools. Attackers exploit this gap to operate from infrastructures that appear harmless, making it extremely difficult for signature-based or domain reputation detection methods.
Recommendations and MitigationCisco Talos recommends the following measures for organizations using n8n or similar tools (Zapier, Make, etc.):
Webhook Monitoring: Implement security policies that restrict the creation of public webhooks without supervision and monitor outgoing traffic to these services.
Network Segmentation: Ensure that environments where these automations run are isolated from critical assets.
User Education: Reinforce phishing training, warning users that attackers now use verification pages (like CAPTCHAs) to provide a false sense of security.
Suspicious Behavior Analysis: Given that domain-based indicators of compromise (IoC) are ineffective here, monitoring suspicious behaviors (unexpected PowerShell executions or unusual msiexec.exe processes) should be prioritized.
Talos continues to investigate this trend as it rapidly expands. It is expected that the misuse of automation platforms will continue to evolve, potentially integrating with other 'Low-Code/No-Code' tools to create more complex and automated attacks.
Key Changes in This Version:Terminology Correction: Changed 'fingerprinting' from a verb to a noun form, using 'device fingerprinting' or 'fingerprinting'.
Technical Clarity: Explained better what webhooks are and why they are dangerous in the hands of attackers (dynamic content vs. static links).
<Professional Structure: Added clear subtitles and a separate section for recommendations from the analysis.
Risk Focus: Emphasized that the risk is not just n8n but trust in cloud services in general.