Block Microsoft Office macros from the internet
Prevent macros in files from the internet from being opened in Microsoft Office.
Plain language
Blocking Microsoft Office macros from the internet is about preventing sneaky software from running on your computer when you open a document. Without this control, a seemingly harmless file from an unknown email or website could secretly run harmful code, stealing your data or damaging your systems.
Framework
ASD Essential Eight
Control effect
Preventative
E8 mitigation strategy
RM
Classifications
N/A
Official last update
N/A
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML1
Official control statement
Microsoft Office macros in files originating from the internet are blocked.
Why it matters
If internet-sourced Office macros aren’t blocked, users can run malicious code leading to ransomware, data loss, and outages.
Operational notes
Enforce Office’s “Block macros from the Internet” via GPO/Intune and test with MOTW-tagged files to confirm macros are blocked.
Implementation tips
- The IT team should review and update group policies to ensure that macros from the internet are blocked in Microsoft Office applications. They can do this by setting the macro security to 'disable all macros with notification' for all users.
- System administrators should apply specific settings in the Microsoft Office Trust Center to block macros from the internet. They can access this by going to File > Options > Trust Center > Trust Center Settings > Macro Settings, and ensuring the appropriate box is checked.
- Security officers should communicate with all staff about the risks of macros and explain why they are being blocked. This can be done through an email newsletter or a meeting presentation.
- The IT department should monitor and maintain a list of users who have a business need to run macros, ensuring that these exceptions are documented and approved.
- An IT security specialist should ensure antivirus scanning is enabled for macro files. Microsoft Defender or another antivirus solution should be set up to automatically scan these macros for potential threats.
Audit / evidence tips
-
AskWhat are your current settings for macros in Microsoft Office applications from the internet?
-
GoodThe export shows macros from the internet are set to be blocked and cannot be changed by users
-
AskHow do you verify that only the necessary staff have access to macros?
-
GoodThe organisation maintains a current list of authorised users whose access is periodically reviewed
Cross-framework mappings
How E8-RM-ML1.2 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ASD ISM
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (2) expand_less | ||
| ISM-1672 | ISM-1672 requires Microsoft Office macro antivirus scanning to be enabled to detect malicious macro content | |
| ISM-1673 | ISM-1673 requires that Office macros are blocked from making Win32 API calls regardless of origin, limiting what macros can do if they run | |
| handshake Supports (6) expand_less | ||
| ISM-1234 | ISM-1234 requires email content filtering to reduce delivery of malicious attachments and embedded content | |
| ISM-1489 | E8-RM-ML1.2 requires that internet-origin Microsoft Office macros are blocked | |
| ISM-1671 | E8-RM-ML1.2 requires Microsoft Office macros from internet-originating files to be blocked | |
| ISM-1674 | E8-RM-ML1.2 requires blocking Microsoft Office macros specifically when the file originates from the internet | |
| ISM-1675 | E8-RM-ML1.2 requires blocking macros in Microsoft Office files originating from the internet | |
| ISM-1891 | E8-RM-ML1.2 requires internet-origin Microsoft Office macros to be blocked | |
| link Related (1) expand_less | ||
| ISM-1488 | E8-RM-ML1.2 requires Microsoft Office macros in files originating from the internet to be blocked to prevent internet-borne macro execution | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.