This detection rule targets the loading of the mshtml.dll module within various Microsoft Office products, which can indicate an exploitation attempt of the CVE-2021-40444 vulnerability. By using Sysmon EventID 7 data, the analytic identifies Office processes that load mshtml.dll, which is a critical component of Microsoft applications. This rule serves to catch malicious attempts that utilize crafted documents to leverage the vulnerability, potentially enabling attackers to execute arbitrary code leading to significant risks such as system compromise and data exfiltration. To ensure effectiveness, the rule requires Sysmon logging configuration and is aimed at monitoring user activity related to Office applications, with tuning options available for false positive reduction.