This detection rule targets the execution of Microsoft Office applications that utilize documents from trusted directories on Windows systems. The rule specifically looks for instances wheredocument formats such as .dotx, .xltx, and .potx are being executed throughOffice applications (Excel, PowerPoint, or Word), which can indicate a potential abuse of trusted locations by attackers seeking to execute malicious macros without triggering security measures. The rule checks for the parent process being either explorer.exe or dopus.exe to ensure proper context for execution. Additionally, the detection is designed to recognize command lines that reference specific AppData and Microsoft Office template directories, indicative of potentially malicious activities while avoiding false positives as much as possible by implementing stringent criteria. Given that attackers often exploit trusted paths to evade detection, this rule is instrumental in identifying high-level risks associated with unauthorized macro execution from these trusted locations.