This detection rule identifies attempts to establish persistence on Windows endpoints by installing a rogue Microsoft Outlook VBA Template. Attackers may exploit the VBA (Visual Basic for Applications) functionality in Outlook to create and execute scripts that persistently run on system start-up. The rule monitors file activity specifically targeting the VbaProject.OTM file, which is a common target for these types of attacks. It uses specific conditions to ensure that only suspicious modifications are flagged: events must be from Windows OS and not include deletion events. The rule is powered by EQL (Event Query Language) and supports multiple data sources including file event logs, Sysmon operational logs, and Microsoft Defender for Endpoint. A risk score of 47 indicates a medium level of urgency for response upon detection. In addition, the documentation provides detailed guidelines for triage, false positive assessment, and response/containment strategies to help security teams effectively manage potential threats and reduce unnecessary alerts.