This detection rule identifies instances where a Global Assembly Cache (GAC) Dynamic Link Library (DLL) is loaded into various Microsoft Office applications: Excel, Publisher, OneNote, Outlook, PowerPoint, and Word. By monitoring the image load events within the Windows operating system, this rule focuses on the use of the image load category to detect unusual activity associated with the loading of GAC DLLs. The rule captures any events where an Office application attempts to load an assembly from the GAC, which could indicate an attempt to exploit vulnerabilities in Office products through .NET framework libraries. Proper filtering may be required to minimize legitimate business use cases of macros and DLL loading that could result in false positives. Given the potential for this activity to be part of more extensive malicious operations, this rule is classified with a high severity level.