The 'Renamed Office Binary Execution' rule is designed to detect the execution of Microsoft Office binaries that have been renamed in order to bypass security mechanisms. Often, threat actors rename legitimate executables to evade detection systems, presenting a significant risk to endpoint security. This detection rule specifically focuses on process creation events in a Windows environment and monitors for known Office executable names that appear with altered file names. The detection employs a selection criterion where it looks for original file names of common Office applications like Excel, PowerPoint, Word, etc., while simultaneously ensuring they do not match original, legitimate filenames closely associated with known Office products. The rule utilizes a high-level filtering condition that excludes legitimate executions while capturing potentially malicious renamed instances. False positives have been reported as unknown due to the potential for legitimate renaming in certain environments. The rule is crucial for identifying suspicious processes that exploit the renaming tactic to execute malicious payloads disguised as legitimate Office applications.