TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Cisco Talos Intelligence

The n8n n8mare: How threat actors are misusing AI workflow automation

Sean Gallagher · 2026-04-15 · Read original ↗

ATT&CK techniques detected

10 predictions
T1566.002Spearphishing Link
99%
“. if the url is accessed via email, the recipient ’ s browser acts as the receiving application, processing the output as a webpage. talos has observed a significant rise in emails containing n8n webhook urls over the past year. for example, the volume of these emails in march 20…”
T1055.001Dynamic-link Library Injection
83%
“##eting themselves and the rest of the payload. talos observed a similar campaign that also utilized an n8n webhook to deliver a different payload. like the previous instance, it featured a self - contained phishing page delivered as a data stream from the webhook, protected with…”
T1105Ingress Tool Transfer
83%
“##fcbc7ea2c2ea776c504aa20a8ca12100a28cfdcc75a 7f30259d72eb7432b2454c07be83365ecfa835188185b35b30d11654aadf86a0 hxxps [ : / / ] onedrivedownload [. ] zoholandingpage [. ] com / my - workspace / downloadedonedrive hxxps [ : / / ] majormetalcsorp [. ] com / openfolder hxxps [ : / / …”
T1588.007Artificial Intelligence
64%
“the n8n n8mare : how threat actors are misusing ai workflow automation - cisco talos research has uncovered agentic ai workflow automation platform abuse in emails. recently, we identified an increase in the number of emails that abuse n8n, one of these platforms, from as early a…”
T1059.001PowerShell
63%
“link in emails that purported to be a shared microsoft onedrive folder. when clicked, the link opened a webpage in the targeted user ’ s browser containing a captcha. once the captcha is completed, a download button appears, triggering a progress bar as the payload is downloaded …”
T1204.002Malicious File
60%
“##eting themselves and the rest of the payload. talos observed a similar campaign that also utilized an n8n webhook to deliver a different payload. like the previous instance, it featured a self - contained phishing page delivered as a data stream from the webhook, protected with…”
T1566.002Spearphishing Link
53%
“link in emails that purported to be a shared microsoft onedrive folder. when clicked, the link opened a webpage in the targeted user ’ s browser containing a captcha. once the captcha is completed, a download button appears, triggering a progress bar as the payload is downloaded …”
T1566.002Spearphishing Link
49%
“##n [. ] cloud ” from which the user ’ s applications can be accessed. this is similar to many web - based ai - aided development tools, and one that malicious actors have harnessed elsewhere in the past ; earlier this year, talos observed another ai - oriented web application se…”
T1204.002Malicious File
43%
“link in emails that purported to be a shared microsoft onedrive folder. when clicked, the link opened a webpage in the targeted user ’ s browser containing a captcha. once the captcha is completed, a download button appears, triggering a progress bar as the payload is downloaded …”
T1204.004Malicious Copy and Paste
35%
“link in emails that purported to be a shared microsoft onedrive folder. when clicked, the link opened a webpage in the targeted user ’ s browser containing a captcha. once the captcha is completed, a download button appears, triggering a progress bar as the payload is downloaded …”

Summary

Cisco Talos research has uncovered agentic AI workflow automation platform abuse in emails. Recently, we identified an increase in the number of emails that abuse n8n, one of these platforms, from as early as October 2025 through March 2026.