This detection rule identifies the execution of malicious OneNote documents containing embedded scripts. It focuses on the behavior triggered when users open OneNote attachments, particularly those that include harmful content. When a user interacts with a malicious link within a '.one' file, the embedded script can be exported and executed through various processes, which may include common scripting hosts such as cmd.exe, powershell.exe, and wscript.exe. The rule is designed to monitor the process creation events where the parent image is `onenote.exe`, and the child processes involve script execution with specific command line patterns that indicate exploitation, particularly targeting directories associated with OneNote’s export functionality. This rule is particularly relevant given the rise in using OneNote for phishing and malicious document attacks, aiming to increase vigilance against such exploits in the Windows environment.