The detection rule titled 'Winword Spawning Cmd' identifies instances when Microsoft Word (winword.exe) spawns the command prompt (cmd.exe), indicating a potential spearphishing attack. This behavior is monitored using Endpoint Detection and Response (EDR) telemetry, specifically analyzing process creation events where the parent process is winword.exe. Such activity is rare and may signify that an attacker is executing commands via cmd.exe, thereby posing risks of system compromise, data exfiltration, and lateral movement through the network. The analytic has been deprecated in favor of a broader detection approach titled 'Windows Office Product Spawned Uncommon Process.' Although it remains a critical threat indicator, users are encouraged to adopt the updated analytics. The rule integrates various data sources, including Sysmon EventID 1 and Windows Event Log Security, and it utilizes a specific Splunk search query to gather relevant telemetry data. Users implementing this rule must ensure the ingestion of appropriate logs and employ the necessary Splunk Technology Add-ons to achieve full functionality. Furthermore, the rule is built to minimize false positives but may require occasional filtering based on specific organizational contexts. Overall, this rule serves as a significant indicator of suspicious activity linked to malicious commands executed from within a trusted application.