This detection rule identifies instances where Microsoft Office applications (such as Word, Excel, PowerPoint, and Access) spawn the rundll32 process, which can indicate the execution of macros or malicious code. This technique is frequently employed by malware, such as Trickbot, to facilitate infections by executing code without the user's knowledge. The detection leverages data from Endpoint Detection and Response (EDR) agents, monitoring process creation events where the parent process is any of the specified Office applications. If an Office application is detected spawning rundll32, this behavior is significant as it may be indicative of attempted code execution, further system intrusion, or data exfiltration. Due to its specific nature, this rule has been deprecated in favor of a broader rule that encompasses various processes spawned by Office products, allowing for more comprehensive threat detection.