Hackers using n8n AI automation webhooks to deliver malware and bypass email security systems

Cybercriminals are abusing the n8n AI workflow automation platform to deliver malware through trusted webhook infrastructure, bypassing traditional email security filters. By creating legitimate developer accounts, attackers generate subdomains under n8n’s official domain, allowing malicious emails and payloads to appear trustworthy and evade detection systems.

Hackers using n8n AI automation webhooks to deliver malware and bypass email security systemsHackers using n8n AI automation webhooks to deliver malware and bypass email security systems

Researchers found that attackers exploit n8n’s webhook feature to send phishing emails, embed tracking pixels, and deliver malware disguised as legitimate files. Victims are often redirected through fake pages, including CAPTCHA verification screens, before unknowingly downloading malicious executables that install remote access tools (RMM) for persistent system control and data exfiltration.

Hackers using n8n AI automation webhooks to deliver malware and bypass email security systemsHackers using n8n AI automation webhooks to deliver malware and bypass email security systems

This campaign highlights the growing risk of attackers weaponizing trusted platforms for large-scale cyberattacks. Security experts recommend adopting behavioral detection, monitoring unusual traffic to automation domains, and implementing advanced email security solutions to detect threats that bypass traditional reputation-based defenses.

 

NPAV offers a robust solution to combat cyber fraud. Protect yourself with our top-tier security product, FraudProtector.net