This detection rule identifies when Microsoft Excel loads an Add-In file (.xll) from any uncommon or suspicious location on the system. Specifically, it captures instances where the Excel application (identified by the image path ending in 'excel.exe') loads an Add-In file located in directories that are generally not associated with standard Add-In storage, namely: Desktop, Downloads, Performance Logs, Temp, Public Users, or Windows Tasks directories. By monitoring these non-standard directories, this rule aims to prevent potential malicious exploitation through unauthorized Add-Ins that could be employed for executing harmful scripts or loading malware.