This rule aims to detect potentially malicious activity where an executable file, created or modified by a Microsoft Office application, is subsequently executed. Such scenarios are often indicative of exploitation through malicious documents that leverage Office's macro capabilities or phishing methods. Specifically, the rule monitors for files with `.exe` extensions created by known Office applications like Word, Excel, Outlook, PowerPoint, and others. By analyzing the process execution chain and the associated file activities, investigators can identify unknown or suspicious processes that may signify a compromise. The detection logic is implemented using Elastic Query Language (EQL), utilizing a sequence query that looks for a file creation event followed by a process execution within a defined time frame. Proper incident response strategies, including forensic analysis of the files and isolation of affected hosts, are recommended to mitigate threats found.