This detection rule identifies potentially malicious execution patterns in Microsoft Office applications when they are used to launch Office Add-Ins from suspicious paths or with unusual parent processes. The rule targets Windows environments and looks for processes like WINWORD.EXE, EXCEL.EXE, and others executing commands that involve add-ins and are sourced from directories often used for temporary or downloaded files. By focusing on the behavior of Office applications, this rule aims to flag phishing attempts using malicious add-ins embedded in phishing emails, which seek initial access or persistence in a compromised system. It takes into account known benign activities to minimize false positives, effectively filtering out Logitech software installations, legitimate VSTO installations, and related processes to ensure accurate threat detection.