This analytic detects instances where `control.exe` is spawned by Microsoft Office products, utilizing Event Detection and Response (EDR) data. It focuses on the process relationships where `control.exe` is being executed, which is significant as it may indicate attempts to exploit CVE-2021-40444. If confirmed to be malicious, this could allow attackers to run arbitrary code leading to system takeover, data leakage, or lateral movement. Detection relies on Sysmon logs and Windows Event ID 4688 to track process execution and relationships, specifically looking for malicious patterns indicating exploitation attempts. The rule is designed to minimize false positives while providing robust coverage against exploitation scenarios in Windows environments.