This detection rule identifies potentially malicious child processes spawned by Microsoft Outlook (outlook.exe), which are indicative of spear-phishing activities. The rule searches for processes initiated by the Outlook application within the last nine months using a query that examines the parent-child process structure in a Windows environment. Specific process names linked to known malicious activities are monitored. The rule also outlines a triage process for investigating alerts, including analyzing the execution chain of suspicious processes and retrieving recently opened files to ascertain their nature. The rule's guidance includes recommended actions for incident response, remediation strategies, and how to mitigate false positives. It utilizes various data sources, including Windows logs and endpoint protection solutions from Elastic, Crowdstrike, and Microsoft, to effectively track suspicious behavior. Overall, it provides a robust framework for identifying and responding to potential threats stemming from Outlook-related exploitation.