diff --git a/Emotet/extracting_ioc_from_doc.md b/Emotet/extracting_ioc_from_doc.md
index 63f30a2..6cac264 100644
--- a/Emotet/extracting_ioc_from_doc.md
+++ b/Emotet/extracting_ioc_from_doc.md
@@ -38,4 +38,5 @@
 
 ## Reference
 [How To: Extract Network Indicators of Compromise (IOCs) from Maldoc Macros — Part 2](https://security-soup.net/how-to-extract-network-indicators-of-compromise-iocs-from-maldoc-macros-part-2/)
+[CMD Watcher and Maldocs](http://www.kahusecurity.com/posts/cmd_watcher_and_maldocs.html)