Microsoft Office macros are blocked from making Win32 API calls
Block Office macros from running code that interacts directly with Windows.
Plain language
This control means that Microsoft Office macros are prevented from interacting directly with Windows operations, stopping them from running harmful actions on your computer. It is crucial because, without this safeguard, a malicious document could execute harmful tasks on your system just by you opening it, leading to data theft or damage.
Framework
ASD Essential Eight
Control effect
Preventative
E8 mitigation strategy
RM
Classifications
N/A
Official last update
N/A
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML2
Official control statement
Microsoft Office macros are blocked from making Win32 API calls.
Why it matters
If Office macros can make Win32 API calls, attackers can run native code to change system settings or exfiltrate data when a document opens.
Operational notes
Regularly validate Office macro policy to ensure updates or user changes do not re-enable Win32 API calls from VBA macros.
Implementation tips
- The IT team should configure group policy settings to block Office macros from making Win32 API calls. This can be done using the Group Policy Management Console.
- System administrators should ensure only users with a genuine business need have the capability to run macros. This involves verifying business needs and updating permissions accordingly.
- Security officers should review and document the business requirements for macro use regularly to ensure they remain valid and necessary.
- IT support should periodically update Office applications to make sure they include the latest security patches that support these restrictions.
Audit / evidence tips
-
AskAre macro settings configured to prevent Win32 API calls in your Office applications?
-
GoodPolicies are set to block all macros from executing Win32 API calls, and there is documentation of business justifications for any exemptions
-
AskHow do you verify that only authorised users can run macros?
-
GoodThe permissions align with documented business requirements, and there is an approval process in place for any changes
Cross-framework mappings
How E8-RM-ML2.1 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ASD ISM
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| ISM-1915 | E8-RM-ML2.1 demands specific configuration to block macros' Win32 API calls | |
| sync_alt Partially overlaps (3) expand_less | ||
| ISM-1601 | ISM-1601 requires implementation of Microsoft ASR rules to reduce common exploit behaviours across user applications | |
| ISM-1667 | E8-RM-ML2.1 focuses on preventing Win32 API calls from Office macros to limit interaction with the system | |
| ISM-1669 | ISM-1669 requires Microsoft Office to be blocked from injecting code into other processes | |
| handshake Supports (1) expand_less | ||
| ISM-1489 | E8-RM-ML2.1 requires blocking Win32 API calls from Microsoft Office macros as part of hardening | |
| link Related (1) expand_less | ||
| ISM-1673 | E8-RM-ML2.1 requires blocking Microsoft Office macros from making Win32 API calls, which aligns with ISM-1673's equivalent mandate | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.