Block enabling of non-V3 signed Microsoft Office macros via Message Bar
Prevent enabling of macros not signed with V3 signatures using standard Office UI controls.
Plain language
This control is about making sure that only trustworthy macros in Microsoft Office can be turned on. Macros are small programs that can automate tasks in Office applications like Word and Excel. If they're not properly checked, they could be used by attackers to run harmful software on your computers. By blocking macros that aren't signed with a trusted version of a digital signature, we reduce the risk of this happening.
Framework
ASD Essential Eight
Control effect
Preventative
E8 mitigation strategy
RM
Classifications
N/A
Official last update
N/A
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML3
Official control statement
Microsoft Office macros digitally signed by signatures other than V3 signatures cannot be enabled via the Message Bar or Backstage View.
Why it matters
If users can enable non‑V3 signed Office macros via the Message Bar/Backstage, malware may run and compromise devices and data.
Operational notes
Confirm Group Policy blocks enabling non‑V3 signed macros via Message Bar/Backstage, and routinely test with sample files.
Implementation tips
- IT team should ensure that only macros signed with a V3 digital signature can be enabled. This can be done by configuring Microsoft Office settings to enforce this rule.
- System administrators should regularly check the digital signatures used on macros within their Office applications. This involves verifying that the signatures are V3 and come from a trusted source.
- Security officers should train employees about the risks of enabling macros and set policies that macros should only be enabled if they are necessary and verified.
- IT personnel should update policy settings in the Office Trust Centre across all user computers to automatically block macros that don't meet the signature requirements.
Audit / evidence tips
-
AskAre there procedures in place to restrict enabling of macros without a V3 signature?
-
GoodThe settings should show that only V3 signed macros can be enabled through the Message Bar or Backstage View
Cross-framework mappings
How E8-RM-ML3.5 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ASD ISM
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| ISM-1675 | E8-RM-ML3.5 blocks users from enabling macros via Office UI when the macro is not signed with a V3 signature | |
| handshake Supports (1) expand_less | ||
| ISM-1674 | ISM-1674 requires that only macros that are sandboxed, from Trusted Locations, or signed by a trusted publisher are allowed to execute | |
| extension Depends on (1) expand_less | ||
| ISM-1489 | E8-RM-ML3.5 requires enforcing a policy that users cannot enable non‑V3 signed Office macros via the Message Bar or Backstage View | |
| link Related (1) expand_less | ||
| ISM-1891 | ISM-1891 requires that Microsoft Office macros signed with signatures other than V3 signatures cannot be enabled via the Message Bar or B... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.