An intruder was busy dropping malware on the web servers he’s watching over by uploading PHP code to them via POST requests. The attacker had obfuscated the requests, including lots of Base64-encoded data. Since some of the web sites being monitored allowed code uploads, CSS files ended up heading towards port 80 on the network being monitored. When those files used spaces instead of tabs for declarations, a la:calendar-switcher, rendering them useless for blocking them. Since the built-in-board rule doesn’t declare arrays like arrays like that, it quickly became an easy rule.”]
Source: https://blog.talosintelligence.com/2011/03/attack-obfuscation-not-just-for.html