This detection rule monitors for the execution of macro code within Microsoft Office documents by identifying the loading of specific dynamic link libraries (DLLs), notably VBE7.DLL, by processes like WINWORD.EXE and EXCEL.EXE. Utilizing Sysmon EventCode 7, the rule highlights significant security risks associated with macros, including potential unauthorized code execution and data breaches. The detection mechanism relies on scrutinizing events where office-related processes invoke these DLLs. To mitigate associated risks, it is advised to disable macros by default and closely monitor events identified by this rule, as confirmed malicious activities can lead to severe implications for system integrity.