Phishing Campaign Uses IPv4-Mapped IPv6 Addresses to Bypass URL Filters
A phishing campaign targeting a Belgian bank uses IPv4-mapped IPv6 addresses to evade security controls that parse URLs with simple regex.
A phishing campaign targeting a major Belgian bank is using a clever technique to bypass security filters: IPv4-mapped IPv6 addresses. The malicious URLs embed the real IPv4 address inside an IPv6 notation, exploiting how some parsers handle literal IP addresses in URLs.
The phishing email contains a link like http://[::ffff:5511:74be]/kWC5PHA1. The brackets indicate a literal IPv6 address, but the ::ffff: prefix signals an IPv4-mapped IPv6 address as defined in RFC 4291. The hex groups 5511 and 74be decode to the IPv4 address 85.17.116.190. When visited, the URL redirects to a phishing kit hosted at 3439-aanmelden.verificatie.qzz.io.
This technique bypasses security controls that extract domains or IPs using simple regular expressions, because the URL does not contain a traditional dotted-decimal IP or a domain name. The parser sees a valid IPv6 address and may not flag it, while the browser correctly resolves it to the embedded IPv4 address.
The phishing kit itself is a classic credential-harvesting page mimicking the bank's online banking portal. The campaign appears to be targeting customers of Belfius, a major Belgian bank, though the same technique could be used against any institution.
Security experts recommend that organizations update their URL parsing and threat detection systems to handle IPv4-mapped IPv6 addresses. Regular expressions should account for this notation, and network monitoring should inspect both IPv4 and IPv6 traffic for suspicious patterns.
This incident highlights the ongoing arms race between attackers and defenders. As security tools improve, threat actors find new ways to evade detection, often by exploiting edge cases in protocol implementations or parsing logic.