This detection rule identifies suspicious activity where an executable file located in a user's directory is initiated by applications from the Microsoft Office suite, including Word, Excel, PowerPoint, Publisher, Visio, Access, and Equation Editor. Such behavior could indicate that a malicious payload is being executed stealthily under the guise of legitimate Office applications. The rule checks if the process creation event's parent image ends with the names of known Office applications, while the executable that is being launched must reside in the user's directory and ends with '.exe'. An exception is applied to filter out instances where the executable 'Teams.exe' is involved, as it might be a regular occurrence and not necessarily indicative of malicious activity. The underlying logic uses Windows process creation logs as a data source for detection and has been assigned a high severity level due to the potential risks associated with this behavioral pattern.