This detection rule targets a reconnaissance technique often exploited in spearphishing attacks—specifically, the execution of `mshta.exe` spawned from Microsoft OneNote. Attackers, including those affiliated with malware families like TA551 and AsyncRat, leverage this behavior to execute malicious scripts embedded within OneNote documents. The rule utilizes telemetry data from Endpoint Detection and Response (EDR) systems to monitor process creation events wherein OneNote is the parent process. The detection strategy is crucial as such processes could indicate potential data exfiltration, unauthorized access, or further malware deployment. If activated, this rule alerts security teams to investigate anomalous execution patterns and implement containment measures promptly to mitigate potential threats.