The rule addresses a critical remote code execution vulnerability identified as CVE-2022-30190, also known as Follina. This vulnerability arises from the Microsoft Support Diagnostic Tool (MSDT) being invoked through the URL protocol by applications such as Microsoft Word. When exploited, an attacker can execute arbitrary code on the system with the same privileges as the calling application. This exploit could allow for the installation of programs, manipulation of files, or account creation with user permissions. The detection logic is tailored for Splunk and screens for relevant event codes and process names associated with Microsoft Office applications alongside MSDT calls. The rule is designed to track instances where process creation by MSDT is detected within the context of Microsoft Office products, thereby identifying potential malicious executions tied to this vulnerability. Threat actors identified with the usage of this exploit include notable groups such as APT28 and GoldenJackal, as well as malware families like CrescentImp and Qakbot.