Prevent Enabling Untrusted Microsoft Office Macros
Macros from untrusted sources in Microsoft Office can't be enabled through standard interfaces.
Plain language
This control is about stopping Microsoft Office from running suspicious little programs called macros that originate from sources we don't trust. It's important because if harmful macros get in, they can mess with your files or steal information, like leaving your front door open for thieves.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Aug 2021
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML3
Guideline
Guidelines for system hardeningSection
User application hardeningTopic
Microsoft Office MacrosOfficial control statement
Microsoft Office macros digitally signed by an untrusted publisher cannot be enabled via the Message Bar or Backstage View.
Why it matters
If untrusted Office macros run, they can automate data theft or malware spread, critically compromising business operations and security.
Operational notes
Regularly verify that macro settings are enforced to block unsigned macros and educate users to avoid altering these via Message Bar or Backstage View.
Implementation tips
- IT team should configure Microsoft Office group policies: They need to set up rules that automatically block macros from any untrusted source. This involves using the Group Policy Editor to navigate to the Microsoft Office settings and enabling the 'Disable all macros without notification' option.
- Managers should educate staff about macro security: Organise a short training session to explain the dangers of enabling macros from unknown sources. Use real-world examples (like email scams) to illustrate how bad macros can sneak in and cause damage.
- IT support should regularly update Microsoft Office: Ensure all Office applications are kept up-to-date with the latest security patches. Use automatic updating settings in the Office suite to make this process seamless and less prone to human error.
- System administrators should set up security alerts: They need to configure the network to send alerts if there's any attempt to enable macros from untrusted sources. Use existing monitoring systems to watch out for this activity without overwhelming employees with notifications.
- Procurement should ensure compliance with security policies: When buying or renewing software licences, check that all software supports disabling untrusted macros. Include specific requirements for macro management in software procurement contracts.
Audit / evidence tips
-
Aska report on Group Policy settings for Office: Request documentation showing the current Office group policy settings regarding macros
Goodshows that macros are blocked unless they're from a trusted source
-
Aska list of any exceptions made to this policy: Request any documentation of exceptions where macros from untrusted sources might have been enabled. Check for appropriate authorisation and risk assessment in these cases
Goodincludes detailed reasoning and approvals for any exceptions
-
Askrecords of staff training sessions on macro security: Request minutes or records of any conducted staff training sessions regarding Office macro security
Goodhas dated session records and participant lists
-
Askto see update logs for Office applications: Request logs or reports showing recent updates to Office applications
Goodshows consistent and recent updates aligned with vendor release notes
-
Askalerts and responses to potential macro threats: Request examples of alerts generated and the subsequent responses in handling them
Goodincludes prompt detection and written response procedures
Cross-framework mappings
How ISM-1675 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
E8
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (2) expand_less | ||
| handshake Supports (5) expand_less | ||
| link Related (1) expand_less | ||
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.