This analytic detection rule identifies instances where Microsoft Office applications spawn the Windows `msdt.exe` process. Utilizing logs from Endpoint Detection and Response (EDR) systems, the rule specifically analyzes process creation events where Office applications are the parent processes. This behavior is crucial to detect because it might indicate attempts to exploit protocol handlers to circumvent security measures, even if macros are turned off. If malicious, this spawned process could facilitate the execution of arbitrary code, thereby enabling system compromises, data exfiltration, or lateral movements within a network. The search mechanism leverages Splunk, using the data model of endpoint processes to outline and track these suspicious activities in a structured manner.