This detection rule identifies instances where a PowerShell core DLL (System.Management.Automation.Dll or its optimized version) is loaded by various Microsoft Office applications such as Excel, Word, Outlook, PowerPoint, Publisher, and OneNote. This behavior can be indicative of a potential attack, as malicious actors may utilize Office applications to execute PowerShell commands undetected, leveraging the trusted nature of these applications to evade security defenses. The rule operates by monitoring image loads for the specified Office applications to see if they load the PowerShell DLLs. If such a combination occurs, an alert is generated. This rule is essential for organizations leveraging Microsoft Office who wish to guard against command execution attacks that exploit these common applications.