This analytic rule detects modifications to the Windows Registry key related to Outlook security settings. Specifically, it monitors changes to the 'Level' setting under the Outlook Security path in the registry. When this key is set to '0x00000001', it allows macros to execute without user prompts, creating a potential vulnerability for malicious scripts to run undetected. This behavior is particularly concerning as it is frequently associated with malware activities aimed at stealing email data. The rule uses the Endpoint.Registry data model, focusing on the registry path associated with Outlook Security to flag suspicious modifications. To ensure effectiveness, it is essential to have Sysmon installed with the correct version for accurate logging of relevant registry changes. The detection strategy incorporates a comprehensive search that analyzes multiple registry attributes, providing contextual information on the changing parameters.