This detection rule identifies Office documents that contain Visual Studio Tools for Office (VSTO) add-ins, which are often used in malicious campaigns to execute harmful scripts. The rule performs a recursive scan of files and archives, checking for specific file extensions associated with Microsoft Office documents, including Word, Excel, and PowerPoint formats. It also looks for unknown file types with a content type of 'application/octet-stream', and a size under 100MB, which further indicates a potential risk. Important checks include scanning the file's metadata for the presence of 'Tag_AssemblyLocation' fields containing '*.vsto*', while excluding paths that point to typical program installation directories (like 'C:\Program Files'). To reduce false positives, the rule includes a verification mechanism that checks if the sender's email is solicited or if the reply-to address aligns with the recipient's emails. Detected attachments are flagged for further analysis due to their association with malware and ransomware tactics, specifically those using scripting techniques.