This rule identifies instances where a Microsoft Office application (such as Word, Excel, or PowerPoint) spawns the "msdt.exe" process, indicating a possible exploit of protocol handlers that could circumvent security mechanisms in place. It primarily uses data collected from Endpoint Detection and Response (EDR) solutions to monitor process creation events. The specific monitoring focuses on cases where the parental Office process is linked to the execution of "msdt.exe", which could potentially lead to malicious activities like remote code execution or data theft. Given the sophisticated nature of such attacks, detecting the spawning of "msdt.exe" from these Office applications is critical for preventing potential security breaches.