This detection rule aims to identify potential arbitrary file downloads executed via Microsoft Office applications, particularly Excel, PowerPoint, and Word. It leverages process creation logs to monitor specific command-line arguments associated with HTTP or HTTPS requests made by these Office applications. If a process associated with any of the selected Office binaries is found to have a command line containing a URL, this rule triggers a high-level alert. The motivation behind such detection is to counteract malicious activities that exploit unsanitized file validation protocols in Office applications, leading to the download of unauthorized files or payloads. The rule cites relevant research and online resources that discuss the vector of exploitation and provides an overview of both detection tactics and potential outcomes.