This detection rule identifies potentially malicious Office files based on certain function calls and known patterns indicative of malicious activity. It specifically targets attached Office files, common archives, or files with an unknown extension that fit a specific criterion (e.g., application/octet-stream content type and size under 100 KB). The rule evaluates the attachment against the scanning for characteristic strings such as 'URLDownloadToFile' and 'Auto_Open', which are common in malicious macros. Regex patterns are also utilized to detect specific file paths that could suggest a malicious operation. In addition, sender profiling is employed to consider the prevalence of the sender's previous messages, factoring in those that are either new, outlier, or known to have sent malicious spam, while also checking for confirmed non-false positives in the profiles.