Security researchers have identified a campaign where cybercriminals are exploiting the legitimate n8n workflow automation platform to conduct phishing attacks and distribute malware. This activity has been tracked since October 2025. The abuse of a trusted productivity tool allows attackers to bypass conventional email security measures, posing a significant threat to organizations globally.

How the Attack Works

Threat actors configure n8n, an open-source automation tool, to send automated phishing emails. By using the platform’s built-in email capabilities, these malicious messages originate from n8n’s own infrastructure, which is often trusted by corporate email filters. This technique increases the likelihood of emails reaching a target’s inbox.

The emails are designed to appear legitimate and often contain links or attachments. When a recipient interacts with these elements, they can trigger the download of malicious software. In some observed instances, the campaign also aims to fingerprint the victim’s device, gathering system information for potential future attacks.

Exploitation of Trusted Services

The core of this threat lies in the misuse of a reputable service. n8n is widely used by developers and businesses to automate tasks between different applications and web services. Its legitimate purpose makes its communication channels less suspicious to security software.

Security analysts note that this is part of a broader trend where attackers increasingly leverage Software-as-a-Service (SaaS) and cloud platforms for malicious purposes. These platforms provide reliable, scalable infrastructure that can evade detection based on IP reputation alone.

Security Implications and Recommendations

This campaign demonstrates a sophisticated evasion tactic. Organizations that rely solely on traditional blocklists or reputation-based filtering may be vulnerable. The incident highlights the need for defense-in-depth strategies that do not assume trust based on the source platform.

Security teams are advised to monitor for unusual email traffic originating from automation and integration services, including n8n. Implementing additional layers of security, such as content analysis, URL inspection, and user awareness training, is considered essential. Employees should be cautioned that emails from even known SaaS tools can be malicious if the underlying workflow has been compromised.

Response and Next Steps

The operators of the n8n platform have been notified of the abuse. It is expected that they will investigate the misuse of their service and may implement additional safeguards or monitoring to prevent similar exploitation. Security firms continue to analyze the campaign to identify indicators of compromise.

In the coming weeks, further technical details about the malware payloads and command-and-control servers are likely to be published by cybersecurity vendors. Organizations worldwide are recommended to review their security posture regarding emails from automation platforms and update their detection rules accordingly.

Source: Adapted from security research reports