FHN 
A new cyberattack campaign is exploiting trusted automation platforms like n8n to deliver malware and track users in a much more subtle way. Instead of relying on traditional malicious infrastructure, attackers are hiding their activity inside legitimate services—making detection far more difficult.
Between October 2025 and March 2026, security analysts observed a significant spike in phishing campaigns leveraging webhook functionality. These attacks take advantage of how automation tools are designed to connect apps and process real-time data, effectively turning a business productivity feature into a delivery channel for cyber threats.
How the Attack Works
Platforms like n8n and Zapier use webhooks to trigger workflows when a user interacts with a specific URL. Attackers are now embedding these webhook URLs into phishing emails, often disguising them as trusted services like file-sharing links.
When a victim clicks the link, the webhook triggers a workflow that dynamically serves content based on the user’s system or browser data. This makes the attack highly adaptive and harder to detect.
In many observed cases, users are redirected to fake pages that mimic services such as cloud storage platforms. These pages may include CAPTCHA-style verification to appear legitimate. Once the user interacts, a malicious file is downloaded—often disguised as a document or installer.
- Attackers use trusted webhook URLs to bypass security filters
- Payloads are dynamically tailored based on victim device data
Advanced Techniques and Impact
Research from Cisco Talos shows that attackers are not just delivering malware—they are also using these workflows to collect valuable data about their targets.
Some campaigns install remote monitoring tools that give attackers persistent access to infected systems. Others use tracking techniques, such as invisible pixels in emails, to monitor when messages are opened and gather device-level information.
Because the traffic originates from legitimate platforms, it blends into normal network activity. This makes it much harder for traditional security tools to flag or block the attack.
This campaign highlights a major shift in cyber threats. Instead of breaking into systems directly, attackers are abusing trusted tools that organizations rely on every day. As automation and AI-driven workflows become more common, they also introduce new risks that defenders must account for.
About the Author
