This detection rule identifies when an Office document creates a scheduled task, which is often indicative of malicious activity, particularly in the use of macro malware to establish persistence or initiate subsequent beaconing. Utilizing Sysmon EventCode 7, the rule detects instances where Office applications such as Word, Excel, and PowerPoint load the 'taskschd.dll' file. Such behavior raises red flags as it signifies technique T1566.001 (Spearphishing Attachments) outlined in the MITRE ATT&CK framework. If the activity is confirmed to be malicious, it can permit an attacker to maintain persistence, execute arbitrary commands, or schedule future actions that could compromise the environment. While this analytic has been deprecated, awareness of its functionality remains crucial for understanding the threats associated with office document manipulations.