WNDF-AV-000033 - Microsoft Defender AV must be configured block Office applications from creating child processes.
Office apps, such as Word or Excel, will not be allowed to create child processes. This is a typical malware behavior, especially for macro-based attacks that attempt to use Office apps to launch or download malicious executables.
Set the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Microsoft Defender Antivirus >> Windows Defender Exploit Guard >> Attack Surface Reduction >> 'Configure Attack Surface Reduction rules' to 'Enabled'. Click 'Show...'. Set the Value name to 'D4F940AB-401B-4EFC-AADC-AD5F3C50688A' and the Value to '1'.