This detection rule aims to identify potentially malicious behavior associated with Microsoft Office products. It focuses on the execution of unusual executable files that are launched by Microsoft Office applications such as Word, Excel, PowerPoint, Access, Outlook, Visio, and WordPad. The rule leverages logs from the CrowdStrike EDR system, querying recent process activities on Windows platforms. Specifically, it filters for executable files that are rarely seen in conjunction with recognized Office processes, an indicator of potential exploitation attempts, particularly those linked to malicious actors such as Evilnum using malware like GlowSand. The rule is critical for early detection of user-driven execution of potentially harmful software within enterprise environments where Microsoft Office applications are prevalent.