ACCORDING to Malwarebytes, phishers impersonating United Healthcare are using a recurring lure of a free Oral-B toothbrush, but the focus is on the scam link itself. They have shifted from Microsoft Azure Blob Storage to links obfuscated by IPv6-mapped IPv4 addresses in a way that looks confusing yet is valid and routable. For example, a URL may appear as http://[::ffff:5111:8e14]/, where the IPv6 literal is indicated by square brackets.
Decoding the last 32 bits yields an IPv4 address of 81.17.142[.]20, which underpins the target link. The article also lists Indicators of Compromise such as 81.17.142[.]40, 15.204.145[.]84, redirectingherenow[.]com and redirectofferid[.]pro. It was published on 11 March 2026 and highlights how victims are guided to a fast-rotating landing page designed to harvest personal data and card details.