Restrict Microsoft Office macros to only trusted or sandboxed environments
Allow only macros from trusted locations, sandboxes, or signed by trusted publishers.
Plain language
This control is about making sure that macros in Microsoft Office documents, like Word or Excel, only run if we know they're safe. Macros can automatically execute tasks and, if not controlled, they can be used by hackers to run harmful code on your computer, leading to data breaches or loss.
Framework
ASD Essential Eight
Control effect
Preventative
E8 mitigation strategy
RM
Classifications
N/A
Official last update
N/A
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML3
Official control statement
Only Microsoft Office macros running from within a sandboxed environment, a Trusted Location or that are digitally signed by a trusted publisher are allowed to execute.
Why it matters
Unchecked Office macros can deliver malware, enabling data theft and account compromise, disrupting business operations and causing financial loss.
Operational notes
Review and minimise Trusted Locations, validate trusted publishers’ certificates, and ensure macros run only in approved sandboxes; remove stale exceptions.
Implementation tips
- The IT team should review current group policy settings to ensure macros in Microsoft Office are restricted to running only from trusted locations or if digitally signed by trusted publishers.
- System administrators should configure Microsoft Office applications to block macros in files that come from the internet to prevent potential threats from external sources.
- Security officers should ensure that only verified users with a valid business need have access to trusted locations where macros are allowed to run.
- The IT team should enable and regularly update antivirus scanning for macros via Microsoft Defender or another antivirus product to check for harmful code.
- Security administrators should conduct regular training sessions with staff to raise awareness about the risks of untrustworthy macros and the procedures in place.
Audit / evidence tips
-
AskDo you have a list of users authorised to use macros and their business requirements?
-
GoodThere is a list of authorised users with documented business requirements aligned with macro permissions
-
AskHow do you ensure macros from the internet are blocked?
-
GoodThe settings confirm that macros from internet sources are blocked, and the system automatically enforces these restrictions
Cross-framework mappings
How E8-RM-ML3.1 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ASD ISM
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| ISM-1488 | ISM-1488 requires that Microsoft Office macros in files originating from the internet are blocked | |
| sync_alt Partially overlaps (2) expand_less | ||
| ISM-1672 | ISM-1672 requires Microsoft Office macro antivirus scanning to be enabled to identify malicious macros at runtime or on access | |
| ISM-1673 | ISM-1673 requires that Office macros are blocked from making Win32 API calls, limiting macro capability even when execution is permitted | |
| handshake Supports (9) expand_less | ||
| ISM-0843 | E8-RM-ML3.1 prevents Office macros from executing unless trusted via sandboxing, Trusted Locations, or trusted publisher signatures | |
| ISM-1487 | ISM-1487 mandates that only privileged, authorised macro reviewers can modify content within Microsoft Office Trusted Locations | |
| ISM-1671 | ISM-1671 requires Microsoft Office macros to be disabled for users unless they have a demonstrated business requirement | |
| ISM-1675 | E8-RM-ML3.1 permits only trusted/sandboxed/signed Office macros to execute | |
| ISM-1676 | ISM-1676 requires organisations to periodically validate which publishers are trusted in Microsoft Office | |
| ISM-1796 | E8-RM-ML3.1 mandates that Office macros only execute when digitally signed by a trusted publisher (or from Trusted Location/sandbox) | |
| ISM-1890 | E8-RM-ML3.1 requires macros to only execute if sandboxed, in Trusted Locations, or signed by a trusted publisher | |
| ISM-1891 | E8-RM-ML3.1 enforces macro execution only under trusted conditions (sandbox, Trusted Location, or trusted publisher signature) | |
| ISM-2050 | E8-RM-ML3.1 requires macros to execute only when digitally signed by a trusted publisher (or from a Trusted Location/sandbox) | |
| link Related (1) expand_less | ||
| ISM-1674 | ISM-1674 requires that only Microsoft Office macros running in a sandbox, from a Trusted Location, or digitally signed by a trusted publi... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.