This detection rule identifies suspicious behavior related to Microsoft Office applications that connect to domains outside the expected Microsoft resources. Specifically, it monitors processes such as Word, Excel, and PowerPoint for DNS queries that are not directed towards any of the domains ending in '.office.com' or '.office.net'. This behavior is significant as it may signify a spearphishing attack where malicious documents attempt to connect to external harmful domains. The rule utilizes Sysmon Event Code 22, which logs DNS queries made by monitored applications, allowing it to capture potential threats proactively. Implementation requires proper ingestion of Sysmon logs, specifically watching for these applications' network activity. Failure to monitor these processes may result in missed detection of malicious attempts that could compromise data integrity or lead to malware infections.