Phishing Campaigns Abuse AI Workflow Automation Platforms

Researchers at Cisco Talos report that attackers are abusing the n8n AI workflow automation platform's URL-exposed webhooks to send phishing emails, deliver malware, and perform device fingerprinting; webhooks can mask payload origins and dynamically tailor content (for example by user-agent), making phishing links appear legitimate. Talos observed a substantial rise in emails containing n8n webhook URLs (approximately 686% increase from January 2025 to March 2026), indicating active and growing misuse of the platform for malicious campaigns.