Configure Microsoft Office to prevent activation of OLE packages
Ensure Microsoft Office is set up to stop risky linking and embedding features.
Plain language
This control is about setting up Microsoft Office so it doesn't automatically activate certain objects and packages that could be harmful. Imagine opening a Word document, and it triggers something bad on your computer without you knowing. This control helps prevent that sneaky behaviour.
Framework
ASD Essential Eight
Control effect
Proactive
E8 mitigation strategy
Application hardening
Classifications
N/A
Official last update
N/A
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML2
Official control statement
Microsoft Office is configured to prevent activation of Object Linking and Embedding packages.
Why it matters
Without this control, malicious OLE packages in Office documents may activate and run code, causing data theft or system compromise.
Operational notes
Enforce GPO/Intune settings that block OLE package activation in Office, and validate via test docs after Office updates or policy changes.
Implementation tips
- The IT team should configure Microsoft Office settings to block Object Linking and Embedding (OLE) packages. This can be done through group policy settings to ensure the feature is disabled for all users.
- System administrators should regularly update Office applications to the latest versions. Updates often include security improvements that reinforce these settings.
- Security officers should develop and distribute guidelines explaining why OLE packages are disabled to help users understand the importance of this measure.
- Network administrators should monitor network traffic for any unauthorised attempts to activate OLE packages, using security tools to alert them of such activities.
Audit / evidence tips
- AskHave the Microsoft Office security settings been configured to block OLE package activation?
- GoodThe group policy settings show OLE activation is blocked for all users, and the settings cannot be changed by end users
Cross-framework mappings
How E8-AH-ML2.5 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| handshake Supports (2) expand_less | ||
| Annex A 8.1 | E8-AH-ML2.5 requires a Microsoft Office endpoint configuration to prevent activation of OLE packages | |
| Annex A 8.8 | E8-AH-ML2.5 requires Microsoft Office to prevent activation of OLE packages as a measure to reduce exposure to a known attack technique u... | |
| extension Depends on (1) expand_less | ||
| Annex A 8.9 | E8-AH-ML2.5 requires Microsoft Office to be configured to prevent activation of OLE packages | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (5) expand_less | ||
| ISM-0289 | ISM-0289 requires evaluated products to be configured, administered and operated in an evaluated configuration and in accordance with ven... | |
| ISM-1667 | E8-AH-ML2.5 requires Microsoft Office to be configured to prevent activation of OLE packages to reduce embedded-object execution risk | |
| ISM-1668 | E8-AH-ML2.5 requires Microsoft Office to prevent activation of OLE packages to limit execution of embedded content | |
| ISM-1669 | E8-AH-ML2.5 requires disabling OLE package activation in Microsoft Office to reduce embedded object execution and related exploitation | |
| ISM-1673 | ISM-1673 requires blocking Win32 API calls by Office macros to constrain macro capability | |
| handshake Supports (1) expand_less | ||
| ISM-1601 | E8-AH-ML2.5 requires Microsoft Office to be configured to prevent activation of OLE packages | |
| extension Depends on (2) expand_less | ||
| ISM-1913 | E8-AH-ML2.5 requires implementing a defined Microsoft Office configuration that prevents OLE package activation | |
| ISM-1915 | E8-AH-ML2.5 requires a specific approved configuration in Microsoft Office to prevent activation of OLE packages | |
| link Related (4) expand_less | ||
| ISM-1536 | ISM-1536 requires Microsoft Office to be configured to block activation of OLE packages to reduce exploitation of embedded objects | |
| ISM-1542 | E8-AH-ML2.5 requires Microsoft Office to be configured to prevent activation of Object Linking and Embedding (OLE) packages | |
| ISM-1798 | ISM-1798 requires that secure configuration guidance is produced and made available to consumers for software | |
| ISM-1858 | ISM-1858 requires organisations to harden IT equipment using ASD and vendor guidance, choosing the most restrictive configuration where g... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.