Hi redwolfe_98,

Yep, think so, if they can decode the URL that fetches the blackhole exploit kit in real time, see this article by Erik Heuser:
https://blogs.rsa.com/beyond-the-zero-day-reverse-engineering-malicious-class-files/
But IDS will also produce the anomaly pattern here as “ssp_ssl: Invalid Client HELLO after Server HELLO Detected” (on the network layer - OSI layer 3
and transport layer - OSI layer 4)! -

Embedding script tags in URLs/HTTP requests will incite unaware users to click on them to enable malicious javascript to be executed on the client (victim’s machine). This becomes possible when input/output validation of the server to reject active code /js or code characters is not performed or has failed.
In thsi case the HTML-tags/script inclusion was an applet (but it could have been an object, iframe, frame, xml, blink, obfuscated link etc. etc., possibilities just as much as user manipulation was allowed to take place! Cause of all this nastiness and the aftermath of it is through"insecure practices!".

Av should have static and dynamic detection rules and incorporate various detection methods for various OSI layers,
else it won’t even “see” it happen,

polonus