Since October 2025, security researchers have observed a significant shift in adversarial tactics involving workflow automation tools. Specifically, threat actors are actively weaponizing n8n, a popular open-source workflow automation platform, to facilitate sophisticated social engineering campaigns. By compromising or abusing exposed n8n webhooks, attackers are triggering automated workflows that send malicious emails, deliver malware, or fingerprint victim devices.
The primary danger lies in the abuse of "trusted" infrastructure. Emails originating from a legitimate n8n instance often possess valid SPF/DKIM signatures and reputable IP reputations, allowing them to bypass traditional Secure Email Gateways (SEGs). Defenders must treat automation platforms as critical attack surfaces and implement stringent controls to prevent them from becoming command-and-control (C2) proxies.
Technical Analysis
Affected Platform: n8n (fair-code licensed workflow automation tool)
Attack Vector: Weaponized Webhook URLs & Misconfigured Workflows
How the Attack Works: The attack chain leverages the functionality of n8n workflows rather than a specific software vulnerability (CVE).
- Initial Access/Abuse: Attackers identify publicly accessible n8n webhook endpoints (often unauthenticated or using predictable IDs) or compromise an n8n instance with weak credentials.
- Trigger: The threat actor sends an HTTP POST request to the webhook URL.
- Execution: This trigger activates a pre-built or modified n8n workflow.
- Payload Delivery: The workflow utilizes the "Send Email" node or "HTTP Request" node to dispatch phishing emails or malicious links to targets. Because the email originates from the victim's n8n server (or a cloud instance trusted by the target), it bypasses standard reputation-based filtering.
- Objective: The emails aim to deliver malicious software (e.g., Remote Access Trojans) or execute device fingerprinting scripts via tracking pixels embedded in the HTML content.
Exploitation Status: Confirmed active exploitation in the wild (ITW) since October 2025. This is a living-off-the-land (LOTL) abuse of platform features.
Detection & Response
Detecting this abuse requires monitoring the n8n application layer for anomalous behavior. Defenders should focus on the n8n process spawning unexpected utilities (common in malicious workflows) and network traffic indicating unauthorized mass mailing.
Sigma Rules
---
title: n8n Process Spawning Shell or Network Utilities
id: 9a8b7c6d-5e4f-3a2b-1c0d-9e8f7a6b5c4d
status: experimental
description: Detects n8n workflow automation spawning suspicious shells or network tools, indicating potential abuse for command execution or payload delivery.
references:
- https://thehackernews.com/2026/04/n8n-webhooks-abused-since-october-2025.html
author: Security Arsenal
date: 2026/04/06
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: linux
detection:
selection:
ParentImage|endswith: '/n8n'
or
Image|endswith: '/n8n'
selection_tools:
Image|endswith:
- '/sh'
- '/bash'
- '/curl'
- '/wget'
- '/python'
- '/perl'
condition: selection and selection_tools
falsepositives:
- Legitimate administrative automation scripts
level: high
---
title: n8n Outbound SMTP Traffic to Non-Corporate Mail Servers
id: 1b2c3d4e-5f6a-7b8c-9d0e-1f2a3b4c5d6e
status: experimental
description: Detects the n8n process establishing outbound connections to common SMTP ports (25, 587, 465) on external IPs, which may indicate abuse for phishing campaigns.
references:
- https://thehackernews.com/2026/04/n8n-webhooks-abused-since-october-2025.html
author: Security Arsenal
date: 2026/04/06
tags:
- attack.exfiltration
- attack.t1114
logsource:
category: network_connection
product: linux
detection:
selection:\ Image|endswith: '/node'
or
Image|endswith: '/n8n'
selection_port:\ DestinationPort:
- 25
- 587
- 465
selection_scope:\ DestinationIp|cidr:
- '10.0.0.0/8'
- '172.16.0.0/12'
- '192.168.0.0/16'
condition: selection and selection_port and not selection_scope
falsepositives:
- Legitimate use of n8n for sending notifications to external SaaS providers (e.g., Gmail, SendGrid) if whitelisted.
level: medium
KQL (Microsoft Sentinel / Defender)
// Hunt for n8n process spawning suspicious child processes
DeviceProcessEvents
| where Timestamp > ago(30d)
| where InitiatingProcessFileName has "n8n" or InitiatingProcessFolderPath endswith "n8n"
| where FileName in~ ("sh", "bash", "curl", "wget", "python", "perl", "nc")
| project Timestamp, DeviceName, AccountName, InitiatingProcessCommandLine, FileName, CommandLine
| order by Timestamp desc
// Network connections from n8n hosts to external SMTP ports
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName has "n8n" or InitiatingProcessFileName has "node"
| where RemotePort in (25, 587, 465)
| where not(IPv4IsInScope(RemoteIP, "10.0.0.0/8") or IPv4IsInScope(RemoteIP, "192.168.0.0/16") or IPv4IsInScope(RemoteIP, "172.16.0.0/12"))
| summarize count() by DeviceName, RemoteIP, RemotePort
| order by count_ desc
Velociraptor VQL
-- Hunt for n8n processes and their open network sockets
SELECT Pid, Name, CommandLine, Exe, Username
FROM pslist()
WHERE Name =~ 'n8n'
OR CommandLine =~ 'n8n'
-- Cross-reference with established connections
SELECT Pid, Family, RemoteAddress, RemotePort, State
FROM netstat()
WHERE Pid IN (SELECT Pid FROM pslist() WHERE Name =~ 'n8n')
AND RemotePort IN (25, 587, 465, 80, 443)
Remediation Script (Bash)
This script checks for running n8n processes, listens on ports, and suggests hardening steps.
#!/bin/bash
# Security Arsenal - n8n Hardening Check
# Checks for running n8n instances and listens on the webhook port (default 5678)
echo "[*] Checking for running n8n processes..."
N8N_PID=$(pgrep -f "n8n")
if [ -z "$N8N_PID" ]; then
echo "[+] No n8n process detected."
else
echo "[!] n8n is running (PID: $N8N_PID)."
echo "[*] Active network listeners for n8n:"
netstat -tulpn 2>/dev/null | grep "$N8N_PID"
fi
echo ""
echo "[*] Checking firewall status (UFW/IPTables)..."
if command -v ufw &> /dev/null; then
ufw status numbered
elif command -v iptables &> /dev/null; then
iptables -L -n -v | head -20
else
echo "[!] No standard firewall tool found."
fi
echo ""
echo "[*] Remediation Advice:"
echo "1. Restrict Webhook Access: Ensure N8N_WEBHOOK_URL or N8N_HOST is not set to 0.0.0.0 unless behind a reverse proxy."
echo "2. Enable Basic Auth: Set WEBHOOK_TUNNEL_URL or use authentication headers on webhook nodes."
echo "3. Review Workflows: Audit n8n UI for workflows containing 'Send Email' nodes triggered by 'Webhook' nodes."
Remediation
Immediate actions are required to secure n8n instances and prevent them from being used as spam relays or malware delivery mechanisms.
-
Restrict Webhook Exposure:
- Do not expose the n8n editor UI or webhook endpoints directly to the public internet. Place n8n behind a reverse proxy (e.g., Nginx, Traefik, Caddy).
- Implement IP whitelisting on the reverse proxy so that known trusted sources can only trigger webhooks.
-
Authentication & Authorization:
- Ensure
N8N_BASIC_AUTH_ACTIVEandN8N_BASIC_AUTH_USER/PASSare enabled for the editor. - For webhook security, use the "Authentication" feature within the n8n webhook node configuration (e.g., Header Auth) to verify incoming requests.
- Ensure
-
Network Segmentation:
- Block outbound SMTP traffic (ports 25, 587, 465) from the n8n application server at the firewall level, unless it is explicitly required to communicate with a specific internal relay or whitelisted SaaS provider.
-
Audit Workflows:
- Review all active workflows in the n8n instance. Look for workflows that begin with a "Webhook" trigger and follow with "Send Email" or "HTTP Request" nodes.
- Disable or delete any workflows that are not actively used or were created by unknown users.
Related Resources
Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.