This detection rule identifies suspicious behavior involving the creation of DLL files by the Outlook process within a specific directory associated with Microsoft Forms. Monitoring occurs in the AppData\Local\Microsoft\FORMS directory, where a malicious actor may exploit a vulnerability (CVE-2024-21378) to drop a malicious DLL. The rule leverages Sysmon EventID 11, which records process creations and file modifications on Windows endpoints. Any instance where 'outlook.exe' creates a DLL file could indicate an attempt to execute arbitrary code, leading to system compromise or data exfiltration. The search combines data from multiple datasets to filter out legitimate events, enhancing accuracy and reducing false positives. Implementation requires the ingestion of relevant endpoint data and confirmation of the latest CIM App.