Overview
- Cisco Talos detailed how threat actors use n8n’s cloud webhooks to run phishing pages, deliver downloads, and collect data through links that look legitimate.
- Because the links sit on *.app.n8n.cloud domains, a victim’s browser treats the response as a normal web page from a trusted service, which helps emails and downloads slip past security checks.
- Recent campaigns posed as shared OneDrive folders that opened a CAPTCHA page and then used JavaScript to start a file download from an external server that appeared to come from n8n.
- The payloads included EXE or MSI installers that set up modified Datto and ITarian remote management tools, creating a backdoor that persists and connects to attacker-controlled servers.
- Talos also saw invisible tracking images hosted on n8n webhook URLs used for device fingerprinting, and it measured a surge in such emails, with March 2026 volumes about 686% higher than January 2025.