This detection rule aims to identify the execution of hosted XSL scripts via the Microsoft.XMLDOM COM interface, typically exploited through Microsoft Office applications such as Word, Excel, PowerPoint, and Publisher. The rule is designed to catch potential threats that may arise when adversaries utilize these COM interfaces for executing malicious JScript or VBScript embedded in Office documents. By monitoring the invocation of specific DLLs (like msxml3.dll) and discerning the process relationships, the rule highlights potentially suspicious activities indicating that malicious script execution attempts are occurring. It flags risks associated with initial access tactics, corresponding to attacks often triggered through phishing and manipulation of document processing activities. The investigation guide advises analysts on how to assess alerts, scrutinize process behaviors, and evaluate user activities related to the triggered alerts to mitigate false positives without missing genuine threats.