Link: IPv4-mapped IPv6 address obfuscation

Mar 17, 2026 · Attack surface reduction ·

Detects links containing IPv4-mapped IPv6 addresses in the format [::ffff:xxxx:xxxx], commonly used to obfuscate malicious URLs and evade detection systems.

Sublime rule (View on GitHub)

 1name: "Link: IPv4-mapped IPv6 address obfuscation"
 2description: "Detects links containing IPv4-mapped IPv6 addresses in the format [::ffff:xxxx:xxxx], commonly used to obfuscate malicious URLs and evade detection systems."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and any(body.links, .href_url.ip.translation.v4_to_v6)  
 8tags:
 9  - "Attack surface reduction"
10attack_types:
11  - "Credential Phishing"
12  - "Malware/Ransomware"
13tactics_and_techniques:
14  - "Evasion"
15detection_methods:
16  - "Content analysis"
17  - "URL analysis"
18id: "caacf30c-fd89-5869-a945-c660ff9bda40"

Related rules

Sender: IP address in local part
Service abuse: Google Firebase sender address with suspicious content
Service abuse: Nylas tracking subdomain with suspicious content
Service abuse: DocSend share from an unsolicited reply-to address
Link: Direct download of executable file