This detection rule identifies the anomalous behavior of Office applications creating .cab or .inf files, which may indicate exploitation attempts related to CVE-2021-40444. Such activity typically signals the loading of malicious ActiveX controls followed by downloading remote payloads, which can lead to remote code execution (RCE) and potential compromise of sensitive data. The rule employs outputs from the Endpoint.Processes and Endpoint.Filesystem data models to provide insights into the activities of various Office products, specifically targeting executable names and the specific file types that are suspicious. Given that this rule has been deprecated, users should seek updated methods or enhancements that might be available either in future releases or as best practices in threat hunting through updated analytic frameworks.