The detection rule identifies suspicious child processes spawned by commonly targeted Microsoft Office applications (Word, PowerPoint, Excel) on macOS systems. Malicious actors often exploit vulnerabilities in these applications to execute unauthorized processes via documents containing malicious macros. This rule, utilizing EQL (Event Query Language), monitors for such occurrences by filtering out benign activities and known legitimate behaviors to minimize false positives. It requires integration with Elastic Defend to function effectively. The rule analyzes processes where the action is 'exec', specifically looking for processes launched by macOS Office applications that match a defined list of suspicious executables, such as 'curl', 'bash', 'osascript', and others. Additionally, several known benign processes are filtered out to focus on genuine threats, ensuring a more accurate detection capability for potential exploitation attempts, particularly focusing on initial access tactics as defined in the MITRE ATT&CK framework.