216.73.217.64

The n8n n8mare: How threat actors are misusing AI workflow automation

· Published 15/04/2026 17:08 · Modified 15/04/2026 17:28

Export JSON

Essential information

Published
15/04/2026 17:08
Modified
15/04/2026 17:28
Source / Author
AlienVault
Confidence
100/100
Report type(s)
threat-report
Labels / Tags
datto rmm lucidrook n8n phishing campaign webhook abuse
Tags
2026-04-15 datto rmm lucidrook n8n phishing campaign webhook abuse
Related entities
11 indicators, 11 observables, 1 intrusion sets (apt), 17 techniques (mitre), 3 malware, 8 others

Description

Investigation reveals widespread abuse of , an AI workflow automation platform, in sophisticated phishing campaigns from October 2025 through March 2026. Attackers exploit the platform's webhook functionality to deliver malware and fingerprint devices while bypassing security filters through trusted infrastructure. Email volume containing webhook URLs increased by 686% between January 2025 and March 2026. Observed campaigns utilize CAPTCHA-protected pages to deliver remote access tools including modified and ITarian Endpoint Management software. The webhooks mask malicious payload sources behind legitimate domains. Additional abuse cases involve tracking pixels embedded in emails for device fingerprinting. These attacks demonstrate how legitimate productivity and automation platforms can be weaponized, requiring behavioral detection approaches rather than simple domain blocking to protect organizational workflows.

External references