{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/workflow-automation/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["n8n","phishing","malware","workflow-automation"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCisco Talos has observed a surge in the abuse of agentic AI workflow automation platforms, specifically n8n, in phishing campaigns between October 2025 and March 2026. Attackers are leveraging the trusted infrastructure of n8n to bypass traditional security filters and deliver malware or fingerprint devices. This involves embedding n8n webhook URLs in phishing emails, which redirect victims to malicious content served through the n8n platform. This technique effectively turns a productivity tool into a delivery mechanism for persistent remote access, highlighting the evolving tactics of threat actors exploiting legitimate services. Talos observed a 686% increase in emails containing n8n webhook URLs between January 2025 and March 2026, indicating the growing prevalence of this attack vector.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker crafts a phishing email containing a malicious link.\u003c/li\u003e\n\u003cli\u003eThe link is an n8n webhook URL pointing to a workflow controlled by the attacker on a subdomain of \u003ccode\u003etti.app.n8n[.]cloud\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe victim receives the email and clicks the embedded n8n webhook URL, believing it to be a legitimate service.\u003c/li\u003e\n\u003cli\u003eClicking the link redirects the victim\u0026rsquo;s browser to the n8n platform, which triggers the pre-configured workflow.\u003c/li\u003e\n\u003cli\u003eThe n8n workflow serves an HTML page containing a CAPTCHA to the victim\u0026rsquo;s browser.\u003c/li\u003e\n\u003cli\u003eAfter the victim completes the CAPTCHA, the webpage presents a download button, concealing the true source of the payload.\u003c/li\u003e\n\u003cli\u003eClicking the download button initiates the download of a malicious executable (e.g., \u0026ldquo;DownloadedOneDriveDocument.exe\u0026rdquo;) from an external host.\u003c/li\u003e\n\u003cli\u003eThe executable installs a modified version of Datto RMM, establishes a connection to a relay on \u003ccode\u003ecentrastage[.]net\u003c/code\u003e, granting the attacker remote access and control over the compromised system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe abuse of n8n for malware delivery and device fingerprinting can lead to significant compromise of targeted systems. Successful exploitation allows attackers to gain remote access via tools like the modified Datto RMM, enabling them to steal sensitive data, deploy ransomware, or conduct further malicious activities within the compromised network. The rise in n8n webhook URL usage in phishing emails, with a 686% increase in volume from January 2025 to March 2026, indicates a potentially widespread impact across various sectors.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor email traffic for URLs containing \u003ccode\u003etti.app.n8n[.]cloud\u003c/code\u003e and flag them as suspicious (IOC table).\u003c/li\u003e\n\u003cli\u003eImplement a detection rule to identify network connections to \u003ccode\u003ecentrastage[.]net\u003c/code\u003e initiated by unusual processes (Sigma rule below).\u003c/li\u003e\n\u003cli\u003eInspect process creation events for the execution of \u0026ldquo;DownloadedOneDriveDocument.exe\u0026rdquo; or similar filenames downloaded from n8n domains (Sigma rule below).\u003c/li\u003e\n\u003cli\u003eBlock the domains \u003ccode\u003etti.app.n8n[.]cloud\u003c/code\u003e and \u003ccode\u003ecentrastage[.]net\u003c/code\u003e at the DNS resolver (IOC table).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-15T10:03:05Z","date_published":"2026-04-15T10:03:05Z","id":"/briefs/2026-04-n8n-abuse/","summary":"Threat actors are abusing the n8n AI workflow automation platform to deliver malware and fingerprint devices via phishing campaigns, bypassing traditional security filters by leveraging trusted infrastructure.","title":"n8n AI Workflow Automation Platform Abused for Malware Delivery and Device Fingerprinting","url":"https://feed.craftedsignal.io/briefs/2026-04-n8n-abuse/"}],"language":"en","title":"CraftedSignal Threat Feed — Workflow-Automation","version":"https://jsonfeed.org/version/1.1"}