Block Microsoft Office macros from the internet
Prevent macros in files from the internet from being opened in Microsoft Office.
🏛️ Framework
ASD Essential Eight
🧭 Control effect
Preventative
🛠️ E8 mitigation strategy
RM
🔐 Classifications
N/A
🗓️ Official last update
N/A
✏️ Control Stack last updated
22 Feb 2026
🎯 E8 maturity levels
ML1
Microsoft Office macros in files originating from the internet are blocked.
Source: ASD Essential Eight
Plain language
Blocking Microsoft Office macros from the internet is about preventing sneaky software from running on your computer when you open a document. Without this control, a seemingly harmless file from an unknown email or website could secretly run harmful code, stealing your data or damaging your systems.
Why it matters
If internet-sourced Office macros aren’t blocked, users can run malicious code leading to ransomware, data loss, and outages.
Operational notes
Enforce Office’s “Block macros from the Internet” via GPO/Intune and test with MOTW-tagged files to confirm macros are blocked.
Implementation tips
- The IT team should review and update group policies to ensure that macros from the internet are blocked in Microsoft Office applications. They can do this by setting the macro security to 'disable all macros with notification' for all users.
- System administrators should apply specific settings in the Microsoft Office Trust Center to block macros from the internet. They can access this by going to File > Options > Trust Center > Trust Center Settings > Macro Settings, and ensuring the appropriate box is checked.
- Security officers should communicate with all staff about the risks of macros and explain why they are being blocked. This can be done through an email newsletter or a meeting presentation.
- The IT department should monitor and maintain a list of users who have a business need to run macros, ensuring that these exceptions are documented and approved.
- An IT security specialist should ensure antivirus scanning is enabled for macro files. Microsoft Defender or another antivirus solution should be set up to automatically scan these macros for potential threats.
Audit / evidence tips
-
Ask: What are your current settings for macros in Microsoft Office applications from the internet?
-
Good: The export shows macros from the internet are set to be blocked and cannot be changed by users
-
Ask: How do you verify that only the necessary staff have access to macros?
-
Good: The organisation maintains a current list of authorised users whose access is periodically reviewed
Cross-framework mappings
How E8-RM-ML1.2 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ASD ISM
| Control | Notes | Details |
|---|---|---|
| Partially overlaps (2) | ||
| ISM-1672 | ISM-1672 requires Microsoft Office macro antivirus scanning to be enabled to detect malicious macro content | |
| ISM-1673 | ISM-1673 requires that Office macros are blocked from making Win32 API calls regardless of origin, limiting what macros can do if they run | |
| Supports (6) | ||
| ISM-1234 | ISM-1234 requires email content filtering to reduce delivery of malicious attachments and embedded content | |
| ISM-1489 | E8-RM-ML1.2 requires that internet-origin Microsoft Office macros are blocked | |
| ISM-1671 | E8-RM-ML1.2 requires Microsoft Office macros from internet-originating files to be blocked | |
| ISM-1674 | E8-RM-ML1.2 requires blocking Microsoft Office macros specifically when the file originates from the internet | |
| ISM-1675 | E8-RM-ML1.2 requires blocking macros in Microsoft Office files originating from the internet | |
| ISM-1891 | E8-RM-ML1.2 requires internet-origin Microsoft Office macros to be blocked | |
| Related (1) | ||
| ISM-1488 | E8-RM-ML1.2 requires Microsoft Office macros in files originating from the internet to be blocked to prevent internet-borne macro execution | |