This rule is designed to identify and mitigate sophisticated phishing attacks that utilize MS Office open XML files (such as Word or Excel documents) to deliver hidden binary payloads. The detection mechanism focuses on recognizing malicious documents that use embedded scripts or objects, specifically those encoded in base64 or employing JavaScript functions like createObjectURL or msSaveOrOpenBlob. These functions are typically associated with attempts to download and execute harmful binary files within the document. The rule not only considers the file extensions commonly found in Office documents but also checks for other indicators like content types suggesting potential embedded content. Furthermore, it employs methods such as archive analysis, content analysis, and YARA signatures to improve detection accuracy.