ISM-1669 policy ASD Information Security Manual (ISM)

Prevent Microsoft Office from Injecting Code

Microsoft Office is configured to not insert code into other programs for security reasons.

Preventative ML2 ML3 NC OS P ASD Information Security ManualGuidelines for system hardening application security configuration hardening

record_voice_over

Plain language

This control is about stopping Microsoft Office from inserting its code into other software on your computer. It matters because if Office could easily inject code elsewhere, it might open the door for hackers to exploit that capability, leading to data theft or malicious software spreading without you knowing.

01 - Overview

Framework

ASD Information Security Manual (ISM)

Control effect

Preventative

Classifications

NC, OS, P, S, TS

ISM last updated

Aug 2021

Control Stack last updated

19 May 2026

E8 maturity levels

ML2, ML3

Guideline

Guidelines for system hardening

Section

User application hardening

Topic

Hardening User Application Configurations

Official control statement

Microsoft Office is blocked from injecting code into other processes.

policy ASD Information Security Manual (ISM) ISM-1669

priority_high

Why it matters

If Microsoft Office can inject code into other processes, attackers can use Office to run malicious code in trusted apps, enabling malware spread and data compromise.

settings

Operational notes

Enable and audit the Defender ASR rule ‘Block Office applications from injecting code into other processes’, monitor alerts, and restrict any exceptions to approved cases.

02 - Implement

build

Implementation tips

The IT team should adjust settings within Microsoft Office to prevent it from injecting code into other applications. They can do this by accessing the Office application settings and modifying the security settings related to code execution and integration with other software.
Managers should work with their staff to ensure they understand how to spot any suspicious activity related to unexpected Microsoft Office behaviour. Conduct a short training session to explain what unusual behaviour looks like, such as Office applications trying to access other programs without warning.
System administrators should regularly update Microsoft Office software. They can schedule automatic updates or routinely check for new updates through Microsoft's update service to ensure any known vulnerabilities are patched.
Procurement officers should ensure that all purchased software including Office is bought from legitimate sources. Verify licences and purchase records to avoid using pirated versions, which are more likely to have security risks enabling code injection.
Security officers should monitor the use of Office applications with network security tools. Set up alerts for activities that seem odd, such as Office files that are interacting with other parts of the system without a clear reason.

03 - Audit

fact_check

Audit / evidence tips

AskA list of Microsoft Office security settings: Request a document or screenshot showing how Office is configured on systems to prevent code injection GoodWill show these features are set to 'disabled' or 'restricted.'
AskThe results of any recent IT security audits involving Microsoft Office: Request copies of the reports GoodIs an audit that specifically confirms code injection protections are active
AskTraining materials given to staff about Microsoft Office use and security: Check the content for clear advice about preventing unauthorised actions by Office applications GoodIncludes mentions of recognising unusual Office behaviour
AskDocumentation on the software update process: This should outline how often Office is updated and who is responsible GoodIncludes a log of past updates applied
AskProcurement records for Microsoft Office licences: Review them to ensure all software in use has legitimate licences GoodShould rely on clear documentation from official vendors or Microsoft itself

04 - Mappings

link

Cross-framework mappings

How ISM-1669 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.

ISO 27001

Control	Notes	Details
layers Partially meets (1) expand_less
Annex A 8.9	ISM-1669 requires Microsoft Office to be blocked from injecting code into other processes

E8

Control	Notes	Details
layers Partially meets (1) expand_less

E8-AH-ML2.7	ISM-1669 requires Microsoft Office to be blocked from injecting code into other processes
sync_alt Partially overlaps (4) expand_less

E8-AH-ML2.2	ISM-1669 requires Microsoft Office to be blocked from injecting code into other processes
E8-AH-ML2.3	ISM-1669 requires Microsoft Office to be blocked from injecting code into other processes
E8-AH-ML2.5	E8-AH-ML2.5 requires disabling OLE package activation in Microsoft Office to reduce embedded object execution and related exploitation

E8-RM-ML2.1	ISM-1669 requires Microsoft Office to be blocked from injecting code into other processes
link Related (1) expand_less

E8-AH-ML2.4	E8-AH-ML2.4 requires Microsoft Office to be blocked from injecting code into other processes to reduce macro-driven and exploit-driven po...

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.