This detection rule identifies potential persistence mechanisms that may be leveraged by threat actors using Visual Studio Tools for Office (VSTO) add-ins within Microsoft Office applications, specifically Outlook, Word, Excel, and PowerPoint. The rule monitors for modifications to the Windows registry paths associated with VSTO, which can indicate that an add-in has been installed or altered by malicious software to allow continued access or control over the system. Important registry paths targeted include those for Office add-ins and VSTO security inclusion settings. The detection focuses on specific executable images known to be associated with legitimate administrative tasks, such as `msiexec.exe` and `regsvr32.exe`, while further filtering for images related to Microsoft Office and Teams applications. By analyzing registry changes and the executables involved, the detection aims to flag anomalous behavior that may signify an attempt to create persistence via add-ins. However, it accounts for legitimate scenarios such as the installation of benign add-ins to reduce false positives.