Product
This rule identifies suspicious execution patterns where Microsoft Office applications launch add-ins from unusual paths or with atypical parent processes, potentially indicating initial access via a malicious phishing MS Office Add-In.