Suspicious Remote Child Process From Outlook (e212d415-0e93-435f-9e1a-f29005bb4723)

Detects a suspicious child process spawning from Outlook where the image is located in a remote location (SMB/WebDav shares).

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	Suspicious Remote Child Process From Outlook (e212d415-0e93-435f-9e1a-f29005bb4723)	Sigma-Rules	1
Indirect Command Execution - T1202 (3b0e52ce-517a-4614-a523-1bd5deef6c5e)	Attack Pattern	Suspicious Remote Child Process From Outlook (e212d415-0e93-435f-9e1a-f29005bb4723)	Sigma-Rules	1