This detection rule was designed to identify instances where Microsoft Word (winword.exe) spawns a PowerShell process, a behavior often linked to spearphishing attacks that leverage malicious document execution to carry out encoded commands. The detection utilizes telemetry from Endpoint Detection and Response (EDR) systems, specifically monitoring process creation events with winword.exe as the parent process. Given that this behavior is uncommon, it can indicate potentially malicious activity that may allow attackers to execute arbitrary code, leading to data exfiltration or lateral movement within a network. Due to its specialized nature, this analytic has been deprecated, with users recommended to shift to a more generic detection rule, "Windows Office Product Spawned Uncommon Process." The rule uses Sysmon EventID 1, Windows Event Log Security 4688, and data from other EDR solutions to formulate its detections, emphasizing the integration of complete command-line execution logs for effective monitoring.