Blocking Internet-Originating Macros in Office Files
Microsoft Office blocks macros from files downloaded from the internet to enhance security.
Plain language
Blocking macros from office files downloaded from the internet is like ensuring your door has a peephole before letting someone in. Macros can carry harmful code that might damage your computer or steal information. This control protects your systems from getting infected by bad software hiding in documents from the web.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Aug 2021
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML1, ML2, ML3
Guideline
Guidelines for system hardeningSection
User application hardeningTopic
Microsoft Office MacrosOfficial control statement
Microsoft Office macros in files originating from the internet are blocked.
Why it matters
Allowing internet-originating Office macros can enable malware execution, leading to system compromise and data loss; blocking reduces this risk.
Operational notes
Enforce Office policy to block macros in internet-sourced files (MOTW) via GPO/Intune, and routinely test with a MOTW-marked sample.
Implementation tips
- IT Team should verify Microsoft Office settings: Check the settings in Microsoft Office applications to ensure that macros from documents originating online are blocked. This can be done by accessing the macro settings in each Office application and ensuring internet-based documents have macros disabled by default.
- Office Manager should train employees: Educate staff about the dangers of enabling macros in files from unknown sources. Conduct a training session showing how to recognise alerts about macros and why they should avoid enabling them unless they are absolutely sure of the document's safety.
- IT Team should apply group policies: Use group policy settings to enforce a rule across all company computers that block macros from internet files. This involves configuring Group Policy Objects (GPOs) to apply the macro-blocking setting within your network.
- System Administrator should update security software: Regularly confirm that security software is up to date to catch threats contained within macros. This can involve setting automatic updates to ensure the most current protections are in place.
- Office Manager should create a response plan: Develop a simple, easy-to-follow guide for staff on what to do if they suspect opening a risky macro might have happened. Include steps like disconnecting from the internet and contacting IT support immediately.
Audit / evidence tips
-
Askthe macro settings configuration documentation: Request the document or screenshot showing the macro security settings in Microsoft Office
Goodwill show the specific settings checked to disable macros from untrusted locations
-
Asktraining records on macro security
-
Askgroup policy settings: Request documentation or demonstration of the Group Policy Objects (GPOs) used to enforce macro-blocking. Look to see that policies are currently active and targeting relevant devices. A solid answer will present GPO details showing that these are applied and effective
-
Askrecords of security software updates: Request evidence of when the latest security software updates were applied across the organisation
Goodis a log entry that shows updates are performed automatically and regularly
-
Askresponse plan documentation: Request the document outlining the response steps for when a risky macro is detected
Gooddocument will have steps listed and contacts for IT support
Cross-framework mappings
How ISM-1488 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
E8
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| E8-RM-ML3.1 | ISM-1488 requires that Microsoft Office macros in files originating from the internet are blocked | |
| handshake Supports (1) expand_less | ||
| E8-RM-ML1.4 | ISM-1488 requires that Microsoft Office macros in files originating from the internet are blocked | |
| link Related (1) expand_less | ||
| E8-RM-ML1.2 | E8-RM-ML1.2 requires Microsoft Office macros in files originating from the internet to be blocked to prevent internet-borne macro execution | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.