This rule identifies potential malicious alterations made to Microsoft Office macro security settings via Windows Registry modifications. Specifically, it monitors for changes to two critical registry values associated with Office macros: 'AccessVBOM' and 'VbaWarnings'. When adjusted, these settings can enable a trusting environment for macros without user warnings, facilitating persistence for adversaries. The associated query inspects registry changes over the past 9 months, targeting typical registry paths where these settings are found. By determining changes to these values, the rule aims to detect potential evasion tactics used by threat actors, particularly in connection with malicious file execution and exploitation through social engineering. The rule employs EQL for querying a breadth of Windows event logs and can be integrated with tools such as Winlogbeat and Microsoft Defender for Endpoint, ensuring effective capture of suspicious activities surrounding Office macros. The implementation of this detection rule involves a robust triage process to validate alerts, assess user actions, and initiate response mechanisms to mitigate risks associated with unwanted macro execution.