The 'Office Product Spawn CMD Process' detection rule identifies instances where a Microsoft Office application (like Word, Excel, PowerPoint, etc.) spawns a command-line interface (CMD) process. This behavior is often associated with the execution of macros within these applications that can download or execute malicious code silently. Essentially, when one of the specified office products is found to launch CMD, it serves as a strong indication of potential malware activity — particularly, methods similar to those used in Trickbot spear-phishing attacks. The detection is based on telemetry gathered from Endpoint Detection and Response (EDR) systems, which monitor process creation events and provides visibility into parent-child process relationships. While this analytic was deemed effective in flagging suspicious behavior, it has been deprecated in favor of a broader rule encompassing more general threats involving Office products running uncommon processes. The focus should remain on vigilant monitoring of Office application behaviors as any CMD execution in relation to these processes could point towards a compromise and unauthorized actions being performed on a system.