Security researchers at **Cisco Talos** have identified sustained abuse of the **n8n** AI workflow automation platform, with threat actors using `tti.app.n8n.cloud` subdomains to send automated phishing emails and deliver malicious payloads. The activity spans **October 2025 through March 2026** and includes campaigns that both distribute malware and fingerprint targeted devices. Attackers exploit the legitimate platform to bypass email filters and reputation-based defenses by routing delivery through trusted infrastructure. Organizations should treat third-party workflow automation endpoints as risky, review allowlists, tighten account registration controls, and add webhook monitoring to email security and threat-hunting processes.
More
Popular articles
Newsletter
Subscribe to get the latest news, offers and special announcements.