{"id":2027,"date":"2026-04-22T23:53:20","date_gmt":"2026-04-22T23:53:20","guid":{"rendered":"https:\/\/www.ipv6council.es\/?p=2027"},"modified":"2026-04-23T00:09:12","modified_gmt":"2026-04-23T00:09:12","slug":"ipv6-is-being-used-to-hide-bad-links","status":"publish","type":"post","link":"https:\/\/www.ipv6council.es\/index.php\/2026\/04\/22\/ipv6-is-being-used-to-hide-bad-links\/","title":{"rendered":"IPv6 is being used to hide bad links"},"content":{"rendered":"

<\/p>\n

IPv6 is being used to hide bad links<\/span><\/h1>\n

Attackers are using a standard IPv6 format to hide malicious links within phishing URLs. The trick is simple: they turn an IPv4 address into an IPv6-looking string, so the destination looks technical, unfamiliar, and easy to overlook. This is standard address syntax from <\/span>RFC4291<\/span><\/a>, while <\/span>RFC5952<\/span><\/a> recommends a cleaner way to write IPv6 text.<\/span><\/p>\n

 <\/p>\n

The abuse is already happening in real-world situations. <\/span>Malwarebytes<\/span><\/a> recently discussed phishing emails that use IPv6-mapped IPv4 URLs to hide scam destinations, and <\/span>SANS ISC<\/span><\/a> also explained how these addresses work and why they are important. The key thing to remember is that even if the link looks unusual, it still points to a basic IPv4 host behind the scenes.<\/span><\/p>\n

 <\/p>\n

This isn\u2019t about breaking IPv6; it\u2019s about using proper syntax in a way that makes a malicious link less obvious to people and tools. When a filter only examines the raw string, or when someone quickly glances at the URL and sees brackets, colons, and hex digits, the attack gains an early edge.<\/span><\/p>\n

 <\/p>\n

We built a simple, standalone HTML\/JS calculator<\/a> to demonstrate how it works. What looks like an unusual IPv6 address can actually be a very normal IP address. That’s the main point: the misuse isn’t complicated; it\u2019s just very effective.<\/span><\/p>\n

\"\"<\/a><\/p>\n

By the way, you probably know <\/span>CyberChef,<\/span><\/a> an open-source web-based tool for quick and easy data manipulation, encoding, encryption, and analysis. Fortunately, it’s included, so you can use it alongside all the other useful recipes in this versatile Swiss Army knife.<\/span><\/p>\n

\"\"<\/p>\n

 <\/p>\n

And that’s why phishing prevention, email security, and link inspection are so important. Security systems should start by normalizing the address and then verifying its real destination. Like humans, we shouldn’t trust a URL’s appearance until we’re sure of where it actually leads.<\/span><\/p>\n

 <\/p>\n

Article in spanish.<\/a><\/p>","protected":false},"excerpt":{"rendered":"

IPv6 is being used to hide bad links Attackers are using a standard IPv6 format to hide malicious links within phishing URLs. The trick is simple: they turn an IPv4 address into an IPv6-looking string, so the destination looks technical, unfamiliar, and easy to overlook. This is standard address syntax from RFC4291, while RFC5952 recommends… IPv6 is being used to hide bad links<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"neve_meta_sidebar":"","neve_meta_container":"","neve_meta_enable_content_width":"off","neve_meta_content_width":70,"neve_meta_title_alignment":"","neve_meta_author_avatar":"","neve_post_elements_order":"","neve_meta_disable_header":"","neve_meta_disable_footer":"","neve_meta_disable_title":""},"categories":[1],"tags":[],"_links":{"self":[{"href":"https:\/\/www.ipv6council.es\/index.php\/wp-json\/wp\/v2\/posts\/2027"}],"collection":[{"href":"https:\/\/www.ipv6council.es\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.ipv6council.es\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.ipv6council.es\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.ipv6council.es\/index.php\/wp-json\/wp\/v2\/comments?post=2027"}],"version-history":[{"count":3,"href":"https:\/\/www.ipv6council.es\/index.php\/wp-json\/wp\/v2\/posts\/2027\/revisions"}],"predecessor-version":[{"id":2039,"href":"https:\/\/www.ipv6council.es\/index.php\/wp-json\/wp\/v2\/posts\/2027\/revisions\/2039"}],"wp:attachment":[{"href":"https:\/\/www.ipv6council.es\/index.php\/wp-json\/wp\/v2\/media?parent=2027"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.ipv6council.es\/index.php\/wp-json\/wp\/v2\/categories?post=2027"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.ipv6council.es\/index.php\/wp-json\/wp\/v2\/tags?post=2027"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}