alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed ClickFix Fake Update iframe Injection Attempt"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"Click the|20 22|Copy fix|22 20|button below."; content:"copyButton.addEventListener"; distance:0; content:"Invoke-Expression|20 28|Invoke-WebRequest|20 2d|Uri"; fast_pattern; distance:0; reference:url,proofpoint.com/us/blog/threat-insight/clipboard-compromise-powershell-self-pwn; classtype:trojan-activity; sid:2052606; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Windows_11, attack_target Client_Endpoint, tls_state TLSDecrypt, created_at 2024_05_14, deployment Perimeter, deployment SSLDecrypt, malware_family ClickFix, performance_impact Low, confidence High, signature_severity Major, tag compromised_website, updated_at 2024_05_14;)