This detection rule aims to identify suspicious child processes initiated by Microsoft Office applications, particularly Word, PowerPoint, and Excel. These applications are commonly targeted due to their widespread use and ability to run potentially malicious macros embedded in documents. The rule focuses on the execution of specific processes that typically follow the launch of these Office applications, which may indicate an attempted exploitation. To reinforce the analytical process, a structured triage and response plan is included, guiding investigators on how to examine executed processes and associated alerts, determine the nature of any relevant documents, and identify any underlying malware. Additionally, the rule provides different paths for analysis, including validating process chains and examining file details, urging prompt incident response actions if threats are detected. By implementing this rule, organizations can bolster their defenses against attacks leveraging Microsoft Office, highlighting the importance of vigilance in examining document-related activities.