Abuse of AI Workflow Automation Platforms in Phishing Campaigns
Threat intelligence from Cisco Talos indicates a marked increase in the exploitation of AI workflow automation platforms, particularly n8n, for phishing attacks and malware delivery. The abuse was noted between October 2025 and March 2026, underscoring a growing trend in which legitimate tools are co-opted for malicious activities.
The research highlights that platforms such as n8n facilitate connections among various applications and automate workflows. However, these features have been repurposed by threat actors to weaponize the platforms, effectively circumventing traditional security measures. For instance, the infrastructure allows attackers to send automated emails containing n8n webhook links, which, when clicked, can trigger malicious file downloads or device fingerprinting. Over recent months, the volume of such emails surged by approximately 686%.
Attackers exploit n8n’s webhook functionality, which enables real-time data transfer through exposed URLs. These malicious links can be crafted to resemble trustworthy sources, misleading users into clicking them. Talos provides a specific example where a phishing campaign disguised itself as a Microsoft OneDrive share, using a webhook to serve a malicious executable file after users interacted with a CAPTCHA interface. This particular executable installs the Datto Remote Monitoring and Management tool as a backdoor for remote access. Another notable case involved a modified Windows Installer file that similarly deployed different backdoor capabilities.
Defensive Context
Organizations utilizing AI workflow automation platforms must be vigilant due to the potential for abuse. Security teams should prioritize monitoring the use of these platforms within their environments, particularly around email traffic that may contain webhook links. Companies primarily reliant on cloud-based services or those with remote collaboration tools are at higher risk, while organizations with minimal email communication or limited exposure to such automation tools are less likely to be affected.
Why This Matters
The rise in exploitation of workflow automation tools signifies an evolving threat landscape, where attackers increasingly leverage legitimate software functionalities for nefarious purposes. Companies that heavily use n8n or similar platforms need to stay informed about the tactics employed by adversaries to remain secure.
Indicators of Compromise (IOCs)
Specific indicators associated with this threat include:
– Webhook URLs:
– hxxps://onedrivedownload.zoholandingpage.com/my-workspace/DownloadedOneDrive
– hxxps://majormetalcsorp.com/Openfolder
– hxxps://pagepoinnc.app.n8n.cloud/webhook/downloading-1a92cb4f-cff3-449d-8bdd-ec439b4b3496
– hxxps://monicasue.app.n8n.cloud/webhook/download-file-92684bb4-ee1d-4806-a264-50bfeb750dab
– File hashes:
– 93a09e54e607930dfc068fcbc7ea2c2ea776c504aa20a8ca12100a28cfdcc75a
– 7f30259d72eb7432b2454c07be83365ecfa835188185b35b30d11654aadf86a0
These details underscore the pressing need for enhanced monitoring and behavioral detection strategies surrounding automation tools integrated into organizational workflows.
