This detection rule identifies instances where Microsoft Office products create .cab or .inf files, which may indicate a potential exploitation of CVE-2021-40444. The rule analyzes process and filesystem data from endpoints to flag abnormal activities that could signify an attempt to execute remote payloads or load malicious ActiveX controls. It utilizes data models from Endpoint.Processes and Endpoint.Filesystem, employing Sysmon and Windows Event Logs as its primary data sources. The creation of these file types by Office applications can lead to serious security incidents like remote code execution, risking further compromise of sensitive data. Organizations should monitor such events closely to mitigate risks associated with malware exploitation.