The activity matters because n8n is built for ordinary business automation. Its webhook feature is designed to let apps and services send data into a workflow when a trigger occurs, which can then return content to a browser or another application. That makes it useful for developers and operations teams, but it also gives attackers a way to wrap malicious delivery inside infrastructure that appears familiar and technically legitimate. n8n’s own documentation describes webhooks as trigger nodes that start workflows when data is received.
Researchers said one of the clearest patterns involved phishing emails masquerading as shared documents. In the examples documented by Talos, recipients were lured with messages resembling file-sharing notices. Clicking the embedded n8n webhook link opened a page in the victim’s browser that displayed a CAPTCHA. Once the CAPTCHA was completed, the page initiated the download of a malicious file from an external server, yet the process appeared to the browser to originate from the n8n domain because the JavaScript and delivery flow were handled through the webhook response.
That technique gives attackers several advantages. Trusted cloud domains can reduce suspicion among users and may also help messages evade some forms of filtering that are tuned to catch more obviously suspicious infrastructure. The webhook mechanism can also be tailored dynamically, allowing operators to vary the content delivered depending on the request or the environment. Talos said the abuse of such trusted infrastructure effectively turns productivity tools into delivery systems for persistent remote access.
The payloads seen in the campaign were not crude one-off files. In one case, the downloaded executable posed as a OneDrive-related document and installed a modified version of Datto remote monitoring and management software. Talos said the malicious chain used PowerShell commands to extract and configure the tool, register it as a scheduled task and connect out to infrastructure associated with Datto’s environment. In another case, the lure delivered a tampered Microsoft installer package that deployed a modified version of ITarian Endpoint Management while showing a fake installation progress window to make the process look benign or broken rather than malicious. ITarian markets its platform as a remote monitoring and management product for IT teams.
Security analysts have long warned that remote monitoring and management tools sit in a grey zone for defenders because they are legitimate administrative products that can be abused once modified or deployed without authorisation. The n8n cases show how delivery methods are evolving alongside that problem. Rather than rely only on compromised websites or freshly registered domains, attackers are increasingly leaning on commercial software ecosystems that businesses already trust. Talos drew a parallel with other cloud and software services being misused to host or distribute malicious content.
A second strand of the campaign focused on fingerprinting and surveillance rather than direct malware installation. Talos found emails containing invisible images or tracking pixels hosted through n8n webhook URLs. When an email client loaded the hidden image, it triggered an HTTP request back to the attacker-controlled workflow, sometimes carrying parameters that identified the recipient’s email address. That allowed operators to determine which targets opened a message and to gather information that could support later social-engineering or malware attempts. Some of the examples highlighted by researchers were written in Spanish, suggesting multilingual targeting rather than a narrowly confined English-language operation.
The campaign also underlines how enthusiasm around AI-enabled and agentic workflow platforms is opening a fresh attack surface. Tools such as n8n and Zapier are widely adopted because they connect services, move data and automate repetitive tasks with minimal coding. The same flexibility makes them attractive to threat actors seeking scale, speed and a veneer of legitimacy. Security teams face a difficult balance: blocking entire platform domains could disrupt genuine business processes, while allowing them unchecked creates room for abuse. Talos argued that defenders should move beyond static blocking and instead watch for unusual traffic patterns, unauthorised communication with automation platforms and behavioural signals tied to phishing or payload delivery.
Follow Arabian Post
Select Arabian Post as your preferred source on Google and MSN News for trusted business news and Arab politics and updates.
