ISM-1673 ASD Information Security Manual (ISM)

Prevent Win32 API Calls by Office Macros

Microsoft Office macros cannot make direct calls to Windows APIs.

Preventative ML2 ML3 Non-classified OFFICIAL: Sensitive PROTECTED SECRET TOP SECRET ASD Information Security Manual Governance Application security Configuration management

🏛️ Framework

ASD Information Security Manual (ISM)

🧭 Control effect

Preventative

🔐 Classifications

NC, OS, P, S, TS

🗓️ ISM last updated

Aug 2021

✏️ Control Stack last updated

22 Feb 2026

🎯 E8 maturity levels

ML2, ML3

Guideline

Guidelines for system hardening

Section

User application hardening

Topic

Microsoft Office Macros

Official control statement

Microsoft Office macros are blocked from making Win32 API calls.

Source: ASD Information Security Manual (ISM)

Plain language

This control means Microsoft Office macros can't directly communicate with the core parts of Windows that handle tasks like opening programs or accessing files. This is important because if macros could do this, they might be used by bad actors to spread viruses or steal data from your computer systems.

Why it matters

If Office macros can call Win32 APIs, attackers can run native code, bypass protections and deliver malware or steal data.

Operational notes

Configure Office policy to block Win32 API calls from VBA/macros, and validate via GPO/registry settings and audit logs.

Implementation tips

IT team should configure Microsoft Office settings: Adjust the settings in Microsoft Office applications to disable direct calls to Windows APIs by macros. This can typically be done through group policy settings in the network management tools they use.
Office manager to inform and educate staff: Ensure all staff are aware that Office macros will have restricted capabilities and this is for their security. Use a short email or a meeting to explain that macros won't be able to perform risky operations that could harm the computer system.
System administrator should implement updates: Regularly check for and apply Microsoft Office updates that may be required to enforce this control. Make use of the automatic update feature where possible to ensure all Office applications are up to date.
The security team should perform regular checks: Conduct periodic reviews of policy settings to ensure that the macro security settings remain enforced. This can be done through audits of system configurations.
Procurement should verify software compatibility: Before purchasing or updating software that integrates with Office, ensure it is compatible with this restriction on macros. Discuss with software vendors about how their applications work with restricted macro functionality.

Audit / evidence tips

Ask: the Office macro policy settings documentation: Request evidence of current Microsoft Office macro settings being enforced

Good: is policies showing settings that restrict macro API usage
Ask: a demonstration of restricted macro behaviour: Request an IT staff member to show how a macro's attempt to make API calls is blocked during operation

Good: would be real-time logs showing blocked API call attempts
Ask: a recent security test report on Office macros: Obtain a report on security test results concerning blocked macro actions

Good: is a report showing no successful attempts to exploit APIs
Ask: training records regarding macro policy: Check records of staff training sessions that cover Microsoft Office restrictions on macros

Good: includes completed training records with dates and attendees
Ask: update logs or schedules for Office software: Request the update logs or schedules showing regular software updates are applied

Good: is a documented update routine ensuring the latest security patches are applied

Cross-framework mappings

How ISM-1673 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.

ISO 27001

Control	Notes	Details
Partially meets (1)
Annex A 8.9	ISM-1673 requires implementing a specific security configuration: blocking Win32 API calls from Microsoft Office macros

E8

Control	Notes	Details
Partially overlaps (6)

E8-AH-ML2.2	E8-AH-ML2.2 requires blocking Microsoft Office from creating child processes to prevent macros/documents from launching other programs
E8-AH-ML2.3	ISM-1673 requires that Office macros cannot directly call Win32 APIs, limiting low-level system interaction from macro code
E8-AH-ML2.4	E8-AH-ML2.4 requires Microsoft Office to be blocked from injecting code into other processes
E8-AH-ML2.5	ISM-1673 requires blocking Win32 API calls by Office macros to constrain macro capability

E8-RM-ML1.2	ISM-1673 requires that Office macros are blocked from making Win32 API calls regardless of origin, limiting what macros can do if they run
E8-RM-ML3.1	ISM-1673 requires that Office macros are blocked from making Win32 API calls, limiting macro capability even when execution is permitted
Supports (1)

E8-RM-ML1.4	ISM-1673 requires enforcing a specific macro hardening setting: blocking Win32 API calls from Office macros
Related (1)

E8-RM-ML2.1	E8-RM-ML2.1 requires blocking Microsoft Office macros from making Win32 API calls, which aligns with ISM-1673's equivalent mandate