Overview
- Cisco Talos detailed active misuse of n8n webhooks, reporting a 686% jump in emails using these links since January 2025.
- When targets click a webhook URL, the browser loads HTML and JavaScript that make any download appear to come from the *.app.n8n.cloud domain, which helps it slip past filters.
- One campaign used a fake shared document link that showed a CAPTCHA, then triggered a payload download from an external host.
- Delivered files installed tweaked Datto or ITarian remote management tools to keep access, then connect to command servers.
- Attackers also used webhook-hosted tracking pixels that call back with the recipient’s email and device details when a message is opened.