Prevent Win32 API Calls by Office Macros
Microsoft Office macros cannot make direct calls to Windows APIs.
Plain language
This control means Microsoft Office macros can't directly communicate with the core parts of Windows that handle tasks like opening programs or accessing files. This is important because if macros could do this, they might be used by bad actors to spread viruses or steal data from your computer systems.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Aug 2021
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML2, ML3
Guideline
Guidelines for system hardeningSection
User application hardeningTopic
Microsoft Office MacrosOfficial control statement
Microsoft Office macros are blocked from making Win32 API calls.
Why it matters
If Office macros can call Win32 APIs, attackers can run native code, bypass protections and deliver malware or steal data.
Operational notes
Configure Office policy to block Win32 API calls from VBA/macros, and validate via GPO/registry settings and audit logs.
Implementation tips
- IT team should configure Microsoft Office settings: Adjust the settings in Microsoft Office applications to disable direct calls to Windows APIs by macros. This can typically be done through group policy settings in the network management tools they use.
- Office manager to inform and educate staff: Ensure all staff are aware that Office macros will have restricted capabilities and this is for their security. Use a short email or a meeting to explain that macros won't be able to perform risky operations that could harm the computer system.
- System administrator should implement updates: Regularly check for and apply Microsoft Office updates that may be required to enforce this control. Make use of the automatic update feature where possible to ensure all Office applications are up to date.
- The security team should perform regular checks: Conduct periodic reviews of policy settings to ensure that the macro security settings remain enforced. This can be done through audits of system configurations.
- Procurement should verify software compatibility: Before purchasing or updating software that integrates with Office, ensure it is compatible with this restriction on macros. Discuss with software vendors about how their applications work with restricted macro functionality.
Audit / evidence tips
-
Askthe Office macro policy settings documentation: Request evidence of current Microsoft Office macro settings being enforced
Goodis policies showing settings that restrict macro API usage
-
Aska demonstration of restricted macro behaviour: Request an IT staff member to show how a macro's attempt to make API calls is blocked during operation
Goodwould be real-time logs showing blocked API call attempts
-
Aska recent security test report on Office macros: Obtain a report on security test results concerning blocked macro actions
Goodis a report showing no successful attempts to exploit APIs
-
Asktraining records regarding macro policy: Check records of staff training sessions that cover Microsoft Office restrictions on macros
Goodincludes completed training records with dates and attendees
-
Askupdate logs or schedules for Office software: Request the update logs or schedules showing regular software updates are applied
Goodis a documented update routine ensuring the latest security patches are applied
Cross-framework mappings
How ISM-1673 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.9 | ISM-1673 requires implementing a specific security configuration: blocking Win32 API calls from Microsoft Office macros | |
E8
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (6) expand_less | ||
| handshake Supports (2) expand_less | ||
| link Related (1) expand_less | ||
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.