This analytic detects the execution of uncommon Microsoft Project executables as child processes of Excel (example names: WINPROJ.EXE, FOXPROW.exe, SCHDPLUS.exe). Normally, Excel spawns Office-related internal processes; launching standalone Project components from within Excel is atypical and can be used by adversaries to blend malicious activity into trusted software, bypass application controls, or establish persistence. The rule flags a parent-child relationship where the parent_process_name is EXCEL.EXE and the child process_name matches the listed executables, using telemetry from Sysmon (Event ID 1), Windows Security (4688), and CrowdStrike ProcessRollup2. The Splunk search aggregates relevant fields (dest, user, parent/child file names, command lines, process IDs) to surface triage context for investigation. Responders should examine the ActivateMicrosoftApp() invocation context, follow-on network or file activity, and any unusual command lines or parent/child process ancestry. While some environments may legitimately trigger office-related spawning, such occurrences should be scrutinized to determine intent and rule out compromise. Potential risk includes abuse for initial access, execution, or subtle persistence within Office workflows, aligning with lateral movement and execution techniques that leverage trusted applications.