alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Fake Browser Update via Error Page Web Inject"; flow:established,to_client; http.response_body; content:"|20 3d 20|window|2e|location|2e|href|3b 0a|if|28|"; content:"|2e|indexOf|28 27|"; distance:3; within:10; content:"|27 29 3c|99|29 0a 7b 0a|eval|28|atob|28 27|"; distance:3; within:20; fast_pattern; content:"|27 29 29 3b 7d 2f 2f|eval|28|atob|28 27|"; distance:0; reference:url,isc.sans.edu/diary/Supply%20Chain%20Compromise%20or%20False%20Positive%3A%20The%20Intriguing%20Case%20of%20efile.com%20%5Bupdated%20-%20confirmed%20malicious%20code%5D/29708; classtype:trojan-activity; sid:2044884; rev:1; metadata:attack_target Client_Endpoint, created_at 2023_04_04, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, confidence Medium, signature_severity Minor, tag compromised_website, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_04_04;)