Attackers Turn n8n Webhooks Into Phishing Infrastructure Since October 2025

Threat actors have been weaponizing n8n, the popular low-code workflow automation platform, as a delivery layer for phishing campaigns since October 2025. By registering webhook endpoints on legitimate n8n instances, operators get a trusted-looking URL that routes victim traffic through attacker-controlled automation flows — fetching payloads, redirecting to credential harvesters, or brokering malware downloads without needing to stand up their own infrastructure.

The pattern fits a broader shift: abuse of legitimate SaaS and automation tools as living-off-the-cloud relays. Webhook URLs on a reputable domain bypass reputation-based email filters, blend into normal enterprise traffic, and give operators programmable logic for victim fingerprinting and payload rotation that static hosting can’t match. n8n’s self-hostable and cloud variants both expose the same webhook primitive, widening the attack surface.

Defenders should treat webhook domains — n8n.cloud and self-hosted n8n subdomains — as high-risk categories in mail and proxy policy, and instance operators should rate-limit public webhooks, require auth on triggers by default, and log outbound fetches from workflow nodes. The core issue isn’t a flaw in n8n; it’s that trusted automation endpoints are now part of the phishing toolkit.