This detection rule identifies when Microsoft Office applications, such as Word, Excel, PowerPoint, and Outlook, initiate network connections to external systems over non-standard ports. The primary goal is to flag potentially suspicious behavior that deviates from typical use, especially since legitimate Office applications generally use well-known ports (53, 80, 139, 443, 445). The rule works by monitoring process initiation and filtering out activity based on designated common port traffic. If an Office application attempts to connect through uncommon ports not listed in the standard port categories, an alert is triggered for further investigation. The detection is aimed at preventing command and control (C2) communication that might suggest the presence of malware or unauthorized data exfiltration activities. This rule emphasizes the importance of monitoring typical application behavior to enhance overall security posture, particularly due to increased exploitation of commonly trusted applications in modern attacks.