This detection rule identifies attempts to establish persistence on Windows endpoints by malicious use of Microsoft Office add-ins. Malicious software can be executed every time a user opens Office applications if placed within specific startup directories associated with Microsoft Word or Excel. The detection targets suspicious file types such as .wll, .xll, .ppa, .ppam, .xla, and .xlam in defined directories (e.g., Word's Startup folder and Excel's XLSTART folder). The rule utilizes a query language (EQL) to identify these potentially harmful files based on their extension and location. A risk score of 73 reflects a high severity, indicating a significant concern for threat actors exploiting trusted applications to maintain persistence on compromised systems. The investigation guide elaborates on analyzing suspicious files, assessing user activity, and ensuring remediation by isolating affected systems and removing harmful files.