This analytic rule focuses on detecting the execution of macro code in Microsoft Office documents, specifically monitoring processes like WINWORD.EXE and EXCEL.EXE that load certain DLLs (e.g., VBE7.DLL). The detection uses Sysmon EventCode 7, which captures events related to image loads in user-space processes. The significance of this detection lies in the common exploitation of Office macros as an attack vector, often leading to malicious payload executions and potential system compromises. Users are advised to disable macros by default to mitigate these risks.