The following buit-in rules have an action that can result in a blocked hash. (i'm not sure which of these are enabled by-default however):
<name>Process has started from Recycle Bin folder [A0412]</name>
<name>Suspicious executable created in %startup% folder [A0127b]</name>
<name>Regsvr32 has dropped a suspicious executable [A0311]</name>
<name>Certutil has dropped a suspicious executable [A0313]</name>
<name>Process executed from ADS [A0417]</name>
<name>Process with mimikatz-like executable metadata executed [A0423]</name>
<name>Ransomware-like data written to file [A0603]</name>
<name>Multiple file writes from a compromised process [A0606]</name>
<name>Multiple file renames from a compromised process [A0607]</name>
<name>Remote execution using renamed PsExec service [A0905]</name>
<name>Canary File was Triggered [D0334]</name>
<name>Suspicious Nvidia Signed module was dropped [E0464]</name>
<name>Suspicious Nvidia Signed module was loaded [E0465]</name>
<name>Explorer.exe Loading Suspicious .Net Assembly [E0472]</name>
<name>Suspicious Compromised Process Loading .Net CLR DLL [E0473]</name>
<name>Rundll32 loaded DLL with unusual extension [F0461]</name>
<name>Windows Print Spooler loaded suspicious DLL from remote folder [A0441] </name>
<name>Suspicious LoLBaS Execution: Control.exe loading DLL from ADS (Alternate Data Streams) [E0437]</name>
<name>Suspicious DLL loaded from Alternate Data Stream [E0438]</name>
Most likely on of these rules triggered and the hash of the file is now added to the "blocked hashes" list in the Inspect Web Console under "More > Blocked Hashes"
I will also note if Eset recommended anti-ransoware HIPS rules are deployed in regards to MS Office apps, this vulnerability can't be exploited;
https://www.microsoft.com/en-us/security/blog/2023/07/11/storm-0978-attacks-reveal-financial-and-espionage-motives/
