ISM-1669 ASD Information Security Manual (ISM)

Prevent Microsoft Office from Injecting Code

Microsoft Office is configured to not insert code into other programs for security reasons.

Preventative ML2 ML3 Non-classified OFFICIAL: Sensitive PROTECTED SECRET TOP SECRET ASD Information Security Manual Governance Application security Configuration management Secure coding

🏛️ Framework

ASD Information Security Manual (ISM)

🧭 Control effect

Preventative

🔐 Classifications

NC, OS, P, S, TS

🗓️ ISM last updated

Aug 2021

✏️ Control Stack last updated

22 Feb 2026

🎯 E8 maturity levels

ML2, ML3

Guideline

Guidelines for system hardening

Section

User application hardening

Topic

Hardening User Application Configurations

Official control statement

Microsoft Office is blocked from injecting code into other processes.

Source: ASD Information Security Manual (ISM)

Plain language

This control is about stopping Microsoft Office from inserting its code into other software on your computer. It matters because if Office could easily inject code elsewhere, it might open the door for hackers to exploit that capability, leading to data theft or malicious software spreading without you knowing.

Why it matters

If Microsoft Office can inject code into other processes, attackers can use Office to run malicious code in trusted apps, enabling malware spread and data compromise.

Operational notes

Enable and audit the Defender ASR rule ‘Block Office applications from injecting code into other processes’, monitor alerts, and restrict any exceptions to approved cases.

Implementation tips

The IT team should adjust settings within Microsoft Office to prevent it from injecting code into other applications. They can do this by accessing the Office application settings and modifying the security settings related to code execution and integration with other software.
Managers should work with their staff to ensure they understand how to spot any suspicious activity related to unexpected Microsoft Office behaviour. Conduct a short training session to explain what unusual behaviour looks like, such as Office applications trying to access other programs without warning.
System administrators should regularly update Microsoft Office software. They can schedule automatic updates or routinely check for new updates through Microsoft's update service to ensure any known vulnerabilities are patched.
Procurement officers should ensure that all purchased software including Office is bought from legitimate sources. Verify licences and purchase records to avoid using pirated versions, which are more likely to have security risks enabling code injection.
Security officers should monitor the use of Office applications with network security tools. Set up alerts for activities that seem odd, such as Office files that are interacting with other parts of the system without a clear reason.

Audit / evidence tips

Ask: a list of Microsoft Office security settings: Request a document or screenshot showing how Office is configured on systems to prevent code injection

Good: will show these features are set to 'disabled' or 'restricted.'
Ask: the results of any recent IT security audits involving Microsoft Office: Request copies of the reports

Good: is an audit that specifically confirms code injection protections are active
Ask: training materials given to staff about Microsoft Office use and security: Check the content for clear advice about preventing unauthorised actions by Office applications

Good: includes mentions of recognising unusual Office behaviour
Ask: documentation on the software update process: This should outline how often Office is updated and who is responsible

Good: includes a log of past updates applied
Ask: procurement records for Microsoft Office licences: Review them to ensure all software in use has legitimate licences

Good: should rely on clear documentation from official vendors or Microsoft itself

Cross-framework mappings

How ISM-1669 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.

ISO 27001

Control	Notes	Details
Partially meets (1)
Annex A 8.9	ISM-1669 requires Microsoft Office to be blocked from injecting code into other processes

E8

Control	Notes	Details
Partially meets (1)

E8-AH-ML2.7	ISM-1669 requires Microsoft Office to be blocked from injecting code into other processes
Partially overlaps (4)

E8-AH-ML2.2	ISM-1669 requires Microsoft Office to be blocked from injecting code into other processes
E8-AH-ML2.3	ISM-1669 requires Microsoft Office to be blocked from injecting code into other processes
E8-AH-ML2.5	E8-AH-ML2.5 requires disabling OLE package activation in Microsoft Office to reduce embedded object execution and related exploitation

E8-RM-ML2.1	ISM-1669 requires Microsoft Office to be blocked from injecting code into other processes
Related (1)

E8-AH-ML2.4	E8-AH-ML2.4 requires Microsoft Office to be blocked from injecting code into other processes to reduce macro-driven and exploit-driven po...