The n8n n8mare: How threat actors are misusing AI workflow automation
Investigation reveals widespread abuse of n8n, an AI workflow automation platform, in sophisticated phishing campaigns from October 2025 through March 2026. Attackers exploit the platform's webhook functionality to deliver malware and fingerprint devices while bypassing security filters through trusted infrastructure. Email volume containing n8n webhook URLs increased by 686% between January 2025 and March 2026. Observed campaigns utilize CAPTCHA-protected pages to deliver remote access tools including modified Datto RMM and ITarian Endpoint Management software. The webhooks mask malicious payload sources behind legitimate n8n domains. Additional abuse cases involve tracking pixels embedded in emails for device fingerprinting. These attacks demonstrate how legitimate productivity and automation platforms can be weaponized, requiring behavioral detection approaches rather than simple domain blocking to protect organizational workflows.
AI Analysis
Technical Summary
This threat involves the misuse of the n8n AI workflow automation platform by adversaries who exploit its webhook feature to conduct sophisticated phishing campaigns. From late 2025 through early 2026, attackers have used n8n webhooks to deliver malware payloads and perform device fingerprinting, effectively bypassing traditional security filters by hiding malicious activity behind trusted n8n infrastructure. The campaigns have notably increased in volume, with a 686% rise in emails containing n8n webhook URLs. Techniques include the use of CAPTCHA-protected landing pages to deliver remote access tools such as modified Datto RMM and ITarian Endpoint Management software. The abuse also extends to embedding tracking pixels within emails to gather device information. The threat demonstrates how legitimate productivity tools can be weaponized, necessitating advanced detection strategies focused on behavior rather than relying solely on domain or URL blocking.
Potential Impact
The impact includes increased phishing attacks leveraging trusted n8n webhook URLs to deliver malware and remote access tools, potentially leading to unauthorized access and device compromise. The use of legitimate infrastructure to mask malicious payloads complicates detection and mitigation efforts. Device fingerprinting via tracking pixels may facilitate targeted follow-up attacks. The surge in attack volume indicates a growing threat that could affect organizations relying on email and automation workflows.
Mitigation Recommendations
No official patch or fix is indicated for this threat as it exploits legitimate platform features rather than a software vulnerability. Organizations should implement behavioral detection mechanisms to identify suspicious use of n8n webhooks and monitor for unusual automation activity. Simple domain or URL blocking is insufficient due to the use of legitimate n8n domains. Security teams should be aware of phishing campaigns leveraging CAPTCHA-protected pages and modified remote access tools. Employing advanced email filtering and user awareness training focused on recognizing such phishing tactics is recommended. Regularly review and restrict webhook usage within automation platforms to limit abuse potential.
Indicators of Compromise
- hash: 1a37b674ed29c877890834e9aba616d9
- hash: 629ce6eb0387a8f72d72d43fa6d74521
- hash: 4fc85d62d4ecbb29de2dd2a0547bd0f0e38696df
- hash: ea5d2096a2ef3dfe4fb870bd1f0270efaea993a6
- hash: 7f30259d72eb7432b2454c07be83365ecfa835188185b35b30d11654aadf86a0
- hash: 93a09e54e607930dfc068fcbc7ea2c2ea776c504aa20a8ca12100a28cfdcc75a
- url: http://majormetalcsorp.com/Openfolder
- url: http://monicasue.app.n8n.cloud/webhook/download-file-92684bb4-ee1d-4806-a264-50bfeb750dab
- url: http://onedrivedownload.zoholandingpage.com/my-workspace/DownloadedOneDrive
- url: http://pagepoinnc.app.n8n.cloud/webhook/downloading-1a92cb4f-cff3-449d-8bdd-ec439b4b3496
- domain: majormetalcsorp.com
- domain: monicasue.app.n8n.cloud
- domain: onedrivedownload.zoholandingpage.com
- domain: pagepoinnc.app.n8n.cloud
- domain: tti.app.n8n.cloud
The n8n n8mare: How threat actors are misusing AI workflow automation
Description
Investigation reveals widespread abuse of n8n, an AI workflow automation platform, in sophisticated phishing campaigns from October 2025 through March 2026. Attackers exploit the platform's webhook functionality to deliver malware and fingerprint devices while bypassing security filters through trusted infrastructure. Email volume containing n8n webhook URLs increased by 686% between January 2025 and March 2026. Observed campaigns utilize CAPTCHA-protected pages to deliver remote access tools including modified Datto RMM and ITarian Endpoint Management software. The webhooks mask malicious payload sources behind legitimate n8n domains. Additional abuse cases involve tracking pixels embedded in emails for device fingerprinting. These attacks demonstrate how legitimate productivity and automation platforms can be weaponized, requiring behavioral detection approaches rather than simple domain blocking to protect organizational workflows.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This threat involves the misuse of the n8n AI workflow automation platform by adversaries who exploit its webhook feature to conduct sophisticated phishing campaigns. From late 2025 through early 2026, attackers have used n8n webhooks to deliver malware payloads and perform device fingerprinting, effectively bypassing traditional security filters by hiding malicious activity behind trusted n8n infrastructure. The campaigns have notably increased in volume, with a 686% rise in emails containing n8n webhook URLs. Techniques include the use of CAPTCHA-protected landing pages to deliver remote access tools such as modified Datto RMM and ITarian Endpoint Management software. The abuse also extends to embedding tracking pixels within emails to gather device information. The threat demonstrates how legitimate productivity tools can be weaponized, necessitating advanced detection strategies focused on behavior rather than relying solely on domain or URL blocking.
Potential Impact
The impact includes increased phishing attacks leveraging trusted n8n webhook URLs to deliver malware and remote access tools, potentially leading to unauthorized access and device compromise. The use of legitimate infrastructure to mask malicious payloads complicates detection and mitigation efforts. Device fingerprinting via tracking pixels may facilitate targeted follow-up attacks. The surge in attack volume indicates a growing threat that could affect organizations relying on email and automation workflows.
Mitigation Recommendations
No official patch or fix is indicated for this threat as it exploits legitimate platform features rather than a software vulnerability. Organizations should implement behavioral detection mechanisms to identify suspicious use of n8n webhooks and monitor for unusual automation activity. Simple domain or URL blocking is insufficient due to the use of legitimate n8n domains. Security teams should be aware of phishing campaigns leveraging CAPTCHA-protected pages and modified remote access tools. Employing advanced email filtering and user awareness training focused on recognizing such phishing tactics is recommended. Regularly review and restrict webhook usage within automation platforms to limit abuse potential.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://blog.talosintelligence.com/the-n8n-n8mare/"]
- Adversary
- UAT-10362
- Pulse Id
- 69dfa9e58a74337f7fb97333
- Threat Score
- null
Indicators of Compromise
Hash
| Value | Description | Copy |
|---|---|---|
hash1a37b674ed29c877890834e9aba616d9 | — | |
hash629ce6eb0387a8f72d72d43fa6d74521 | — | |
hash4fc85d62d4ecbb29de2dd2a0547bd0f0e38696df | — | |
hashea5d2096a2ef3dfe4fb870bd1f0270efaea993a6 | — | |
hash7f30259d72eb7432b2454c07be83365ecfa835188185b35b30d11654aadf86a0 | — | |
hash93a09e54e607930dfc068fcbc7ea2c2ea776c504aa20a8ca12100a28cfdcc75a | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://majormetalcsorp.com/Openfolder | — | |
urlhttp://monicasue.app.n8n.cloud/webhook/download-file-92684bb4-ee1d-4806-a264-50bfeb750dab | — | |
urlhttp://onedrivedownload.zoholandingpage.com/my-workspace/DownloadedOneDrive | — | |
urlhttp://pagepoinnc.app.n8n.cloud/webhook/downloading-1a92cb4f-cff3-449d-8bdd-ec439b4b3496 | — |
Domain
| Value | Description | Copy |
|---|---|---|
domainmajormetalcsorp.com | — | |
domainmonicasue.app.n8n.cloud | — | |
domainonedrivedownload.zoholandingpage.com | — | |
domainpagepoinnc.app.n8n.cloud | — | |
domaintti.app.n8n.cloud | — |
Threat ID: 69dfcba782d89c981f8345f2
Added to database: 4/15/2026, 5:32:23 PM
Last enriched: 4/15/2026, 5:47:05 PM
Last updated: 5/31/2026, 11:01:25 AM
Views: 191
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.