Using negative distance to create detection windows - Blog

Hidden iframes are a common method for delivering malicious pages to clients. The rule discussed will not be in any policies by default due to the risk of false positives. The hidden iframe is typically created with something like this https://blog.talosintelligence.com/2012/09/using-negative-distance-to-create.html</a></p> </div> <div class="saxon-social-share-fixed sidebar-position-right"> <div class="post-social-wrapper"> <div class="post-social-title">Share:</div> <div class="post-social"> <a title="Share with Facebook" href="https://blog.g5cybersecurity.com/using-negative-distance-to-create-detection-windows/" data-type="facebook" data-title="Using negative distance to create detection windows" class="facebook-share"> <i class="fa fa-facebook"></i></a><a title="Tweet this" href="https://blog.g5cybersecurity.com/using-negative-distance-to-create-detection-windows/" data-type="twitter" data-title="Using negative distance to create detection windows" class="twitter-share"> <i class="fa fa-twitter"></i></a><a title="Share with LinkedIn" href="https://blog.g5cybersecurity.com/using-negative-distance-to-create-detection-windows/" data-type="linkedin" data-title="Using negative distance to create detection windows" data-image="" class="linkedin-share"> <i class="fa fa-linkedin"></i></a><a title="Pin this" href="https://blog.g5cybersecurity.com/using-negative-distance-to-create-detection-windows/" data-type="pinterest" data-title="Using negative distance to create detection windows" data-image="" class="pinterest-share"> <i class="fa fa-pinterest"></i></a><a title="Share to WhatsApp" href="whatsapp://send?text=Using+negative+distance+to+create+detection+windows: https://blog.g5cybersecurity.com/using-negative-distance-to-create-detection-windows/" data-type="link" class="whatsapp-share"> <i class="fa fa-whatsapp"></i></a><a title="Share by Email" href="mailto:?subject=Using⠀negative⠀distance⠀to⠀create⠀detection⠀windows&body=https://blog.g5cybersecurity.com/using-negative-distance-to-create-detection-windows/" data-type="link" class="email-share"> <i class="fa fa-envelope-o"></i></a> </div> <div class="clear"></div> </div> </div> </div> </div> </article> <div class="saxon-post saxon-post-bottom"> <div class="post-details-bottom"> <div class="post-info-tags"> </div> <div class="post-info-wrapper"> <div class="post-info-views"><i class="fa fa-eye" aria-hidden="true"></i>44</div> </div> <div class="post-info-share"> <div class="post-social-wrapper"> <div class="post-social-title">Share:</div> <div class="post-social"> <a title="Share with Facebook" href="https://blog.g5cybersecurity.com/using-negative-distance-to-create-detection-windows/" data-type="facebook" data-title="Using negative distance to create detection windows" class="facebook-share"> <i class="fa fa-facebook"></i></a><a title="Tweet this" href="https://blog.g5cybersecurity.com/using-negative-distance-to-create-detection-windows/" data-type="twitter" data-title="Using negative distance to create detection windows" class="twitter-share"> <i class="fa fa-twitter"></i></a><a title="Share with LinkedIn" href="https://blog.g5cybersecurity.com/using-negative-distance-to-create-detection-windows/" data-type="linkedin" data-title="Using negative distance to create detection windows" data-image="" class="linkedin-share"> <i class="fa fa-linkedin"></i></a><a title="Pin this" href="https://blog.g5cybersecurity.com/using-negative-distance-to-create-detection-windows/" data-type="pinterest" data-title="Using negative distance to create detection windows" data-image="" class="pinterest-share"> <i class="fa fa-pinterest"></i></a><a title="Share to WhatsApp" href="whatsapp://send?text=Using+negative+distance+to+create+detection+windows: https://blog.g5cybersecurity.com/using-negative-distance-to-create-detection-windows/" data-type="link" class="whatsapp-share"> <i class="fa fa-whatsapp"></i></a><a title="Share by Email" href="mailto:?subject=Using⠀negative⠀distance⠀to⠀create⠀detection⠀windows&body=https://blog.g5cybersecurity.com/using-negative-distance-to-create-detection-windows/" data-type="link" class="email-share"> <i class="fa fa-envelope-o"></i></a> </div> <div class="clear"></div> </div> </div> </div> </div> </div> <nav id="nav-below" class="navigation-post"> <div class="container-fluid"> <div class="row"> <div class="col-md-6 nav-post-prev saxon-post no-image"> <a href="https://blog.g5cybersecurity.com/scammers-and-how-to-thwart-them/" class="nav-post-title-link"><div class="nav-post-title">Previous</div><div class="nav-post-name">Scammers and how to thwart them</div></a> </div> <div class="col-md-6 nav-post-next saxon-post no-image"> <a href="https://blog.g5cybersecurity.com/facial-surveillance-in-jamaica-2/" class="nav-post-title-link"><div class="nav-post-title">Next</div><div class="nav-post-name">Facial surveillance in Jamaica</div></a> </div> </div> </div> </nav> <div class="blog-post-related-wrapper clearfix"><h5>Related posts</h5><div class="saxon-postsmasonry1-post saxon-postsmasonry1_2-post saxon-post saxon-post-no-image format-" data-aos="fade-up"><div class="post-categories"><a href="https://blog.g5cybersecurity.com/category/news/">News</a></div><div class="saxon-post-details"> <h3 class="post-title"><a href="https://blog.g5cybersecurity.com/ashley-madison-2-0-hackers-leak-20gb-data-dump-including-ceos-emails/">Ashley Madison 2.0 Hackers Leak 20GB Data Dump, Including CEO's Emails</a></h3><div class="post-date">November 7, 2022</div></div></div><div class="saxon-postsmasonry1-post saxon-postsmasonry1_2-post saxon-post saxon-post-no-image format-" data-aos="fade-up"><div class="post-categories"><a href="https://blog.g5cybersecurity.com/category/news/">News</a></div><div class="saxon-post-details"> <h3 class="post-title"><a href="https://blog.g5cybersecurity.com/art-of-twitter-account-hacking-now-or-never/">Art of Twitter account hacking</a></h3><div class="post-date">November 7, 2022</div></div></div><div class="saxon-postsmasonry1-post saxon-postsmasonry1_2-post saxon-post saxon-post-no-image format-" data-aos="fade-up"><div class="post-categories"><a href="https://blog.g5cybersecurity.com/category/news/">News</a></div><div class="saxon-post-details"> <h3 class="post-title"><a href="https://blog.g5cybersecurity.com/blackenergy-exploits-recently-fixed-flaws-in-siemens-wincc/">BlackEnergy exploits recently fixed flaws in Siemens WinCC</a></h3><div class="post-date">August 1, 2022</div></div></div><div class="saxon-postsmasonry1-post saxon-postsmasonry1_2-post saxon-post saxon-post-no-image format-" data-aos="fade-up"><div class="post-categories"><a href="https://blog.g5cybersecurity.com/category/news/">News</a></div><div class="saxon-post-details"> <h3 class="post-title"><a href="https://blog.g5cybersecurity.com/google-chrome-will-block-code-injection-from-third-party-software-within-14-months/">Google Chrome will block code injection from third-party software within 14 months</a></h3><div class="post-date">August 1, 2022</div></div></div></div> </div> <div class="col-md-4 post-sidebar sidebar sidebar-right" role="complementary"> <ul id="post-sidebar"> <li id="saxon-list-posts-3" class="widget widget_saxon_list_entries"> <h2 class="widgettitle">Something Fresh</h2> <ul> <li class="template-shortline"> <div class="saxon-shortline-post saxon-post saxon-post-no-image" data-aos="fade-up"><div class="saxon-post-details"> <h3 class="post-title"><a href="https://blog.g5cybersecurity.com/zip-codes-pii-are-they-personal-data/">Zip Codes & PII: Are They Personal Data?</a></h3><div class="post-date">January 3, 2026</div></div></div> </li> <li class="template-shortline"> <div class="saxon-shortline-post saxon-post saxon-post-no-image" data-aos="fade-up"><div class="saxon-post-details"> <h3 class="post-title"><a href="https://blog.g5cybersecurity.com/zeronet-51-attack-risks-mitigation/">ZeroNet: 51% Attack Risks & Mitigation</a></h3><div class="post-date">January 3, 2026</div></div></div> </li> <li class="template-shortline"> <div class="saxon-shortline-post saxon-post saxon-post-no-image" data-aos="fade-up"><div class="saxon-post-details"> <h3 class="post-title"><a href="https://blog.g5cybersecurity.com/zero-knowledge-voting-with-trusted-server/">Zero Knowledge Voting with Trusted Server</a></h3><div class="post-date">January 3, 2026</div></div></div> </li> </ul> </li> <li id="saxon-posts-slider-2" class="widget widget_saxon_posts_slider"> <h2 class="widgettitle">What People Reading</h2> <div class="widget-post-slider-wrapper owl-carousel widget-post-slider-wrapper-7580554"> <div class="saxon-overlay-alt-post saxon-post saxon-post-no-image" data-aos="fade-up"><div class="saxon-post-wrapper-inner"><div class="saxon-post-details"> <div class="post-categories"><a href="https://blog.g5cybersecurity.com/category/cyber-security/">Cyber Security</a></div> <div class="saxon-post-details-inner"> <h3 class="post-title"><a href="https://blog.g5cybersecurity.com/yubikey-security-initial-setup-with-yubi-cloud/">YubiKey Security: Initial Setup with Yubi Cloud</a></h3><div class="post-date">January 3, 2026</div></div></div></div></div> <div class="saxon-overlay-alt-post saxon-post saxon-post-no-image" data-aos="fade-up"><div class="saxon-post-wrapper-inner"><div class="saxon-post-details"> <div class="post-categories"><a href="https://blog.g5cybersecurity.com/category/cyber-security/">Cyber Security</a></div> <div class="saxon-post-details-inner"> <h3 class="post-title"><a href="https://blog.g5cybersecurity.com/zero-day-vulnerabilities-user-defence-guide/">Zero-Day Vulnerabilities: User Defence Guide</a></h3><div class="post-date">January 3, 2026</div></div></div></div></div> <div class="saxon-overlay-alt-post saxon-post saxon-post-no-image" data-aos="fade-up"><div class="saxon-post-wrapper-inner"><div class="saxon-post-details"> <div class="post-categories"><a href="https://blog.g5cybersecurity.com/category/news/">News</a></div> <div class="saxon-post-details-inner"> <h3 class="post-title"><a href="https://blog.g5cybersecurity.com/feedback-and-data-driven-updates-to-googles-disclosure-policy/">Feedback and data-driven updates to Googles disclosure policy</a></h3><div class="post-date">August 1, 2022</div></div></div></div></div> <div class="saxon-overlay-alt-post saxon-post saxon-post-no-image" data-aos="fade-up"><div class="saxon-post-wrapper-inner"><div class="saxon-post-details"> <div class="post-categories"><a href="https://blog.g5cybersecurity.com/category/cyber-security/">Cyber Security</a></div> <div class="saxon-post-details-inner"> <h3 class="post-title"><a href="https://blog.g5cybersecurity.com/zap-brute-force-passwords/">ZAP: Brute Force Passwords</a></h3><div class="post-date">January 3, 2026</div></div></div></div></div> <div class="saxon-overlay-alt-post saxon-post saxon-post-no-image" data-aos="fade-up"><div class="saxon-post-wrapper-inner"><div class="saxon-post-details"> <div class="post-categories"><a href="https://blog.g5cybersecurity.com/category/news/">News</a></div> <div class="saxon-post-details-inner"> <h3 class="post-title"><a href="https://blog.g5cybersecurity.com/security-insider-interview-series-john-mcarthur-senior-product-manager-ip-intelligence-and-rupert-young-senior-director-software-engineering-data-compilation-and-identity-neustar/">Security Insider Interview Series: John McArthur, Senior Product Manager, IP Intelligence; and Rupert Young, Senior Director Software Engineering, Data Compilation and Identity, Neustar</a></h3><div class="post-date">August 1, 2022</div></div></div></div></div> </div> </li> <li id="saxon-categories-2" class="widget widget_saxon_categories"><h2 class="widgettitle">Categories</h2> <div class="post-categories"> <a href="https://blog.g5cybersecurity.com/category/cyber-security/" data-style="">Cyber Security<span class="post-categories-counter">36865</span></a><a href="https://blog.g5cybersecurity.com/category/interviews/" data-style="">Interviews<span class="post-categories-counter">353</span></a><a href="https://blog.g5cybersecurity.com/category/news/" data-style="">News<span class="post-categories-counter">137174</span></a> </div> </li> <li id="saxon-text-1" class="widget widget_saxon_text"> <div class="saxon-textwidget-wrapper saxon-textwidget-no-paddings"> <div class="saxon-textwidget" data-style="background-image: url(http://wp.magnium-themes.com/saxon/saxon-1/wp-content/uploads/2018/10/saxon-00026.jpg);padding: 120px 40px 120px 40px;color: #ffffff;text-align: center;"><h5 style="color:#ffffff">Partners</h5> <h3 style="color:#ffffff">Just add here your partners image or promo text</h3><a class="btn" href="#" target="_self">Read More</a></div> </div> </li> </ul> </div> </div> </div> </div> <a class="scroll-to-top btn alt" aria-label="Scroll to top" href="#top"></a> <div class="footer-wrapper"> <footer class="footer-black"> <div class="container"> <div class="row"> <div class="col-md-12 footer-menu" role="navigation"> </div> <div class="col-md-12 col-sm-12 footer-copyright"> <p>© Copyright <a href="http://g5cybersecurity.com" target="_blank" rel="noopener">G5 Cyber Security</a>, Protecting businesses and families from data breaches.</p> </div> </div> </div> </footer> </div> <script type="speculationrules"> {"prefetch":[{"source":"document","where":{"and":[{"href_matches":"\/*"},{"not":{"href_matches":["\/wp-*.php","\/wp-admin\/*","\/wp-content\/uploads\/sites\/6\/*","\/wp-content\/*","\/wp-content\/plugins\/*","\/wp-content\/themes\/saxon-child\/*","\/wp-content\/themes\/saxon\/*","\/*\\?(.+)"]}},{"not":{"selector_matches":"a[rel~=\"nofollow\"]"}},{"not":{"selector_matches":".no-prefetch, .no-prefetch a"}}]},"eagerness":"conservative"}]} </script>  <script type="text/javascript"> var sbiajaxurl = "https://blog.g5cybersecurity.com/wp-admin/admin-ajax.php"; </script> <div id="amp-mobile-version-switcher" hidden> <a rel="" href="https://blog.g5cybersecurity.com/using-negative-distance-to-create-detection-windows/?amp=1"> Go to mobile version </a> </div> <script type="text/javascript" src="https://blog.g5cybersecurity.com/wp-content/themes/saxon/js/aos/aos.js?ver=2.3.1" id="aos-js"></script> <script type="text/javascript" id="thickbox-js-extra"> /* <![CDATA[ */ var thickboxL10n = {"next":"Next >","prev":"< Prev","image":"Image","of":"of","close":"Close","noiframes":"This feature requires inline frames. You have iframes disabled or your browser does not support them.","loadingAnimation":"https:\/\/blog.g5cybersecurity.com\/wp-includes\/js\/thickbox\/loadingAnimation.gif"}; /* ]]> */ </script> <script type="text/javascript" src="https://blog.g5cybersecurity.com/wp-includes/js/thickbox/thickbox.js?ver=3.1-20121105" id="thickbox-js"></script> <script type="text/javascript" src="https://blog.g5cybersecurity.com/wp-content/themes/saxon/js/bootstrap.min.js?ver=3.1.1" id="bootstrap-js"></script> <script type="text/javascript" src="https://blog.g5cybersecurity.com/wp-content/themes/saxon/js/easing.js?ver=1.3" id="easing-js"></script> <script type="text/javascript" src="https://blog.g5cybersecurity.com/wp-content/themes/saxon/js/select2/select2.min.js?ver=3.5.1" id="saxon-select2-js"></script> <script type="text/javascript" src="https://blog.g5cybersecurity.com/wp-content/themes/saxon/js/owl-carousel/owl.carousel.min.js?ver=2.0.0" id="owl-carousel-js"></script> <script type="text/javascript" src="https://blog.g5cybersecurity.com/wp-content/themes/saxon/js/template.js?ver=1.3" id="saxon-script-js"></script> <script type="text/javascript" id="saxon-script-js-after"> /* <![CDATA[ */ (function($){ $(document).ready(function($) { "use strict"; $(".content-block ").on("click", ".saxon-post .post-like-button", function(e){ e.preventDefault(); e.stopPropagation(); var postlikes = $(this).next(".post-like-counter").text(); var postid = $(this).data("id"); if(getCookie("saxon-likes-for-post-"+postid) == 1) { // Already liked } else { setCookie("saxon-likes-for-post-"+postid, "1", 365); $(this).children("i").attr("class", "fa fa-heart"); $(this).next(".post-like-counter").text(parseInt(postlikes) + 1); var data = { action: "saxon_likes", postid: postid, }; var ajaxurl = "https://blog.g5cybersecurity.com/wp-admin/admin-ajax.php"; $.post( ajaxurl, data, function(response) { var wpdata = response; }); } }); }); })(jQuery); (function($){ $(document).ready(function() { "use strict"; var owl = $(".sidebar .widget.widget_saxon_posts_slider .widget-post-slider-wrapper.widget-post-slider-wrapper-7580554"); owl.owlCarousel({ loop: true, items:1, autoplay:false, autowidth: false, autoplayTimeout:4000, autoplaySpeed: 1000, navSpeed: 1000, dots: false, responsive: { 1199:{ items:1 }, 979:{ items:1 }, 768:{ items:1 }, 479:{ items:1 }, 0:{ items:1 } } }); });})(jQuery); /* ]]> */ </script> <script type="text/javascript" src="https://blog.g5cybersecurity.com/wp-content/themes/saxon/inc/modules/mega-menu/js/mega-menu.js?ver=1.0.0" id="saxon-mega-menu-js"></script> <script type="text/javascript" src="https://blog.g5cybersecurity.com/wp-content/plugins/enlighter/cache/X6_enlighterjs.min.js?ver=0A0B0C" id="enlighterjs-js"></script> <script type="text/javascript" id="enlighterjs-js-after"> /* <![CDATA[ */ !function(e,n){if("undefined"!=typeof EnlighterJS){var o={"selectors":{"block":"pre.EnlighterJSRAW","inline":"code.EnlighterJSRAW"},"options":{"indent":4,"ampersandCleanup":true,"linehover":true,"rawcodeDbclick":false,"textOverflow":"break","linenumbers":true,"theme":"enlighter","language":"generic","retainCssClasses":false,"collapse":false,"toolbarOuter":"","toolbarTop":"{BTN_RAW}{BTN_COPY}{BTN_WINDOW}{BTN_WEBSITE}","toolbarBottom":""}};(e.EnlighterJSINIT=function(){EnlighterJS.init(o.selectors.block,o.selectors.inline,o.options)})()}else{(n&&(n.error||n.log)||function(){})("Error: EnlighterJS resources not loaded yet!")}}(window,console); /* ]]> */ </script> </body> </html> <script>(function(){function c(){var b=a.contentDocument||a.contentWindow.document;if(b){var d=b.createElement('script');d.innerHTML="window.__CF$cv$params={r:'9e6b09651b17a0ea',t:'MTc3NTI1MDM4MQ=='};var a=document.createElement('script');a.src='/cdn-cgi/challenge-platform/scripts/jsd/main.js';document.getElementsByTagName('head')[0].appendChild(a);";b.getElementsByTagName('head')[0].appendChild(d)}}if(document.body){var a=document.createElement('iframe');a.height=1;a.width=1;a.style.position='absolute';a.style.top=0;a.style.left=0;a.style.border='none';a.style.visibility='hidden';document.body.appendChild(a);if('loading'!==document.readyState)c();else if(window.addEventListener)document.addEventListener('DOMContentLoaded',c);else{var e=document.onreadystatechange||function(){};document.onreadystatechange=function(b){e(b);'loading'!==document.readyState&&(document.onreadystatechange=e,c())}}}})();</script><script src="/cdn-cgi/scripts/7d0fa10a/cloudflare-static/rocket-loader.min.js" data-cf-settings="096c95a90e7edeaf46024426-|49" defer></script>