n8n Webhooks Abused Since October 2025 to Deliver Malware via Phishing Emails

SITREP: Threat actors have been exploiting the n8n workflow automation platform since October 2025 to conduct phishing campaigns and distribute malware through automated emails. This method allows them to circumvent conventional security measures by utilizing trusted infrastructure. TACTICAL ASSESSMENT: The use of legitimate platforms for malicious purposes indicates a significant shift in tactics among cybercriminals, posing a heightened risk to organizations relying on such tools. This development underscores the need for enhanced security protocols and awareness training to mitigate the threat of phishing attacks. PROJECTED VECTORS: Future attacks may increasingly target other widely used automation tools, expanding the scope of phishing campaigns.