Threat actors are systematically abusing AI-enabled workflow automation platforms to conduct scalable phishing campaigns against enterprise targets. Cisco Talos researchers have documented a sustained wave of attacks exploiting n8n-a legitimate agentic automation tool-to bypass conventional email security defenses.
Background
N8n is a workflow automation platform that allows users to connect web applications, APIs, and AI model services to sync data, build agentic systems, and run repetitive rule-based tasks. Its broad enterprise adoption-and its free developer tier-make it a convenient vehicle for abuse. Users can register for a developer account at no cost, gaining access to a managed cloud-hosted service that runs automation workflows without self-hosted infrastructure. Each account creates a unique custom domain in the format <account name>.app.n8n.cloud.
Phishing returned as the leading initial-access method in the first quarter of 2026, accounting for over a third of engagements where the entry point could be determined, according to Cisco Talos. The broader threat context is significant: the 2025 Phishing Threat Trends Report by KnowBe4 found that 82.6% of phishing emails analyzed between September 2024 and February 2025 contained AI.
Details
Cisco Talos identified sustained abuse of the n8n AI workflow automation platform, with threat actors using tti.app.n8n.cloud subdomains to send automated phishing emails and deliver malicious payloads. The activity spans October 2025 through March 2026 and includes campaigns that distribute malware and fingerprint targeted devices.
The scale is notable. According to Cisco Talos researchers Sean Gallagher and Omid Mirzaei, the volume of emails containing n8n webhook URLs in March 2026 was approximately 686% higher than in January 2025. The researchers stated that "by leveraging trusted infrastructure, these attackers bypass traditional security filters, turning productivity tools into delivery vehicles for persistent remote access."
Talos found that a primary abuse vector is n8n's URL-exposed webhooks. Because webhooks mask the source of the data they deliver, they can serve payloads from untrusted sources while appearing to originate from a trusted domain. Since webhooks can dynamically serve different data streams based on triggering events-such as request header information-a phishing operator can tailor payloads based on the user-agent header.
Talos observed a phishing campaign using an n8n-hosted webhook link in emails purporting to share a Microsoft OneDrive folder. When clicked, the link opened a webpage containing a CAPTCHA. The attack's end goal was to deliver an executable or MSI installer serving as a conduit for modified versions of legitimate Remote Monitoring and Management (RMM) tools like Datto and ITarian Endpoint Management, then establish persistence by connecting to a command-and-control (C2) server.
A second attack vector involves covert device reconnaissance. Talos observed device fingerprinting achieved by embedding an invisible tracking pixel within an email. These URLs include tracking parameters such as the victim's email address, allowing the server to identify exactly which user opened the message.
The campaigns are not sector-agnostic. Public administration and healthcare each accounted for 24% of all engagements, tying as the most targeted sectors. Public administration has held the top position since Q3 2025. Government agencies, often underfunded and reliant on outdated equipment, "may have access to sensitive data as well as a low downtime tolerance," making them attractive to financially motivated and espionage-focused threat groups, according to Cisco. Professional, scientific, and technical-services firms ranked as the next most frequently targeted segment.
Cisco also documented AI being deployed directly in credential-harvesting infrastructure. Attackers used the Softr AI platform to build a website mimicking the Outlook Web Access login page-the first time Cisco documented "the use of a specific AI tool by an adversary in a phishing campaign." This incident demonstrates how AI tools can lower the barrier to entry for less sophisticated actors and accelerate campaign development, as a phishing page like the one observed could be created quickly with a few AI prompts and no code.
Authentication weaknesses remain a critical enabler. Deficient multifactor authentication was the most common security weakness leading to intrusions in Q1 2026, appearing in 35% of engagements. In some cases MFA was not enabled; in others, it was active but misconfigured.
Outlook
Organizations should treat third-party workflow automation endpoints as high-risk, review allowlists, tighten account registration controls, and add webhook monitoring to email security and threat-hunting processes. Practical mitigations include enforcing multi-factor authentication and billing validation, blocking or scrutinizing third-party subdomains in high-risk contexts, and integrating webhook behavior into data loss prevention (DLP) and email-gateway policies. Vendors and enterprises should anticipate additional disclosures and possible mitigations from n8n. Defenders should update detection rules and threat-hunting playbooks to include workflow automation telemetry.
