Block Microsoft Office from injecting code into other processes
Stop Microsoft Office from putting code into other programs to prevent security risks.
Plain language
Imagine you're working on your computer and a sneaky virus uses Microsoft Office, like Word or Excel, to spread to other parts of your system. This control stops that from happening by making sure Office can't slide its code into other programs, which helps keep your whole system safer.
Framework
ASD Essential Eight
Control effect
Preventative
E8 mitigation strategy
Application hardening
Classifications
N/A
Official last update
N/A
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML2
Official control statement
Microsoft Office is blocked from injecting code into other processes.
Why it matters
If Office can inject code into other processes, attackers can run payloads in trusted apps, steal credentials and persist silently.
Operational notes
Enable the ASR rule 'Block Office apps from injecting into other processes' via GPO/Intune and review Defender alerts for blocked injections.
Implementation tips
- IT team: Ensure Microsoft Office is configured so it cannot inject code into other processes. Use endpoint security solutions or group policy settings to enforce this.
- System administrator: Regularly update Microsoft Office and related security policies to prevent manual bypasses. Use automatic updates to keep systems up to date.
- Security officer: Conduct regular training for employees on recognising potential phishing attempts within Office documents. Use educational sessions and resources.
- Network administrator: Monitor and limit permissions that Office applications have on user machines. Use tools like AppLocker to define what Office can and cannot do.
Audit / evidence tips
-
AskCan you show me how Microsoft Office's ability to inject code into other processes is controlled?
-
GoodThere should be a documented policy or setting that shows Microsoft Office is prevented from injecting code into other processes, evidenced by screenshots or policy settings
-
AskHow are updates and patches managed for Microsoft Office?
-
GoodAutomatic updating should be enabled, and logs should show recent updates applied to Office applications
Cross-framework mappings
How E8-AH-ML2.4 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ASD ISM
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (4) expand_less | ||
| ISM-1667 | E8-AH-ML2.4 requires blocking Microsoft Office from injecting code into other processes | |
| ISM-1668 | E8-AH-ML2.4 requires blocking Microsoft Office from injecting code into other processes to prevent in-memory execution and tampering | |
| ISM-1670 | ISM-1670 requires blocking PDF applications from creating child processes, limiting a common execution technique used by malicious PDFs | |
| ISM-1673 | E8-AH-ML2.4 requires Microsoft Office to be blocked from injecting code into other processes | |
| handshake Supports (1) expand_less | ||
| ISM-1542 | ISM-1542 requires Microsoft Office to be configured to prevent activation of Object Linking and Embedding (OLE) packages | |
| link Related (3) expand_less | ||
| ISM-1601 | ISM-1601 requires organisations to implement Microsoft Attack Surface Reduction rules | |
| ISM-1669 | E8-AH-ML2.4 requires Microsoft Office to be blocked from injecting code into other processes to reduce macro-driven and exploit-driven po... | |
| ISM-1858 | ISM-1858 mandates hardening of IT equipment using ASD and vendor guidance, with the most restrictive guidance taking precedence | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.