Link: IPv4-mapped IPv6 address obfuscation

Dec 6, 2025 · Attack surface reduction ·

Detects links containing IPv4-mapped IPv6 addresses in the format [::ffff:xxxx:xxxx], commonly used to obfuscate malicious URLs and evade detection systems.

Sublime rule (View on GitHub)

 1name: "Link: IPv4-mapped IPv6 address obfuscation"
 2description: "Detects links containing IPv4-mapped IPv6 addresses in the format [::ffff:xxxx:xxxx], commonly used to obfuscate malicious URLs and evade detection systems."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and any(body.links,
 8      regex.icontains(.href_url.url, '\[::ffff:[0-9a-f]{4}:[0-9a-f]{4}\]')
 9  )  
10tags:
11  - "Attack surface reduction"
12attack_types:
13  - "Credential Phishing"
14  - "Malware/Ransomware"
15tactics_and_techniques:
16  - "Evasion"
17detection_methods:
18  - "Content analysis"
19  - "URL analysis"
20id: "caacf30c-fd89-5869-a945-c660ff9bda40"

Related rules

Spam: Website errors solicitation
Spam: Firebase password reset from suspicious sender
Service abuse: Suspicious Zoom Docs link
Link: URL scheme obfuscation via split HTML anchors
Reconnaissance: Short generic greeting message