This rule, authored by Elastic, aims to detect suspicious inter-process communication targeted at Microsoft Outlook via the Component Object Model (COM). The presence of unexpected processes initiating communications with Outlook could indicate malicious activities where adversaries aim to collect sensitive information or send unauthorized emails using an API. The rule is written in EQL (Event Query Language) and operates over logs from endpoint processes. It captures sequences of process starts, particularly unusual ones such as rundll32.exe, mshta.exe, or PowerShell, with additional checks for code signature integrity, which signals potential malicious behavior. Investigation steps suggested include reviewing the initiating process's entity ID, validating code signatures, and analyzing process timelines to identify recently introduced anomalies. Remediation steps focus on isolating affected systems, terminating suspicious processes, and conducting a thorough security review of email accounts. The rule references the MITRE ATT&CK framework for email collection and inter-process communication techniques, guiding threat detection and response efforts.