🛡️ Essential 8 Guide

Microsoft Office macros in files originating from the internet are blocked.

Summary

Microsoft Office macros in files originating from the internet are blocked by applying a centralized Anti-Malware Threat Policy that blocks all macro-containing file types, including DOCM, XLSM and PPTM. This reduces the risk of macro-based malware and aligns with established hardening guidelines and baseline configurations.¹

The primary enforcement mechanism is the Mark of the Web (MOTW). When a file is downloaded from the internet, Windows attaches a Zone.Identifier alternate data stream (ZoneId=3) to the file on NTFS volumes. When a macro-enabled Office document carrying this flag is opened, Office 2203 and later automatically blocks macro execution and displays a Security Risk banner — with no “Enable Content” button. This behaviour is enabled by default in modern Office builds and does not require additional configuration, but must be confirmed via the ACSC Office Hardening policy.¹

Attack Surface Reduction (ASR) rules complement MOTW enforcement by preventing macro-initiated code execution even if the MOTW is stripped or bypassed.

Design Decision

[!NOTE] The Anti-Malware Threat Policy will be used to block all file types that may contain macros, including DOCM, XLSM, and PPTM. It will be applied through the Intune policy set framework to enforce macro blocking across Office clients.

Prerequisites

• Permissions/Roles
  • Access to the Microsoft Intune admin console to create and manage policies, import the ACSC Office Hardening Guidelines policy, and assemble and assign policy sets to the All Office Users group. ¹
  • Ability to create and manage Azure AD groups, including the All Office Users group and the Allow macro execution - Trusted Publisher group. ¹
• Dependencies
  • Devices must be managed by Microsoft Intune and enrolled in Entra ID (Azure AD) and/or hybrid Azure AD joined. ¹
  • Microsoft 365 Apps for Windows 10 or later must be installed on target devices. ¹
  • Devices must be onboarded to Microsoft Defender for Endpoint (MDE) or be able to be onboarded through the Intune–MDE integration for macro activity logging and policy enforcement. ¹
  • Windows Defender Antivirus must be running on endpoints to support macro runtime scanning. ¹
  • Availability of Attack Surface Reduction (ASR) policies via Defender for Endpoint in Intune-based management to block macro execution and related vectors. ¹

Implementation Steps

Implement Macro Blocking using ACSC Office Hardening Guidelines and ASR

1. Create a policy to contain users that are targeted with the Office apps and the Office hardening policies (All Office Users).¹
2. Create the Microsoft 365 Apps for Windows 10 or later app under Apps > Windows > Add > Microsoft 365 Apps. Include the Microsoft 365 Apps as required by your organization. Set Architecture to 64-bit (recommended). Set Update Channel to Semi-Annual Enterprise Channel (recommended).¹
3. Do not assign the application yet. This is done in a later step.¹
4. Save the ACSC Office Hardening Guidelines policy JSON to your local device.¹
5. Import a policy, under Devices > Windows > Configuration profiles > Create > Import Policy.¹
6. Name the policy, select Browse for files under Policy file and navigate to the saved policy from step 4. Click Save.¹
7. Create a new PowerShell script to prevent activation of Object Linking and Embedding packages. Navigate to Devices & Scripts and create a new PowerShell script.¹
8. Import the PowerShell script to prevent activation of OLE packages. Run this script using the logged on credentials: Yes. Enforce script signature check: No. Run script in 64-bit PowerShell Host: No. Assign the PowerShell script to All Office Users.¹
9. Navigate to Devices > Policy sets > Create.¹
10. Under Application Management > Apps, select Microsoft 365 Apps (for Windows 10 and later) (created in Stage 1).¹
11. Under Device Management > Device Configuration Profiles, select ACSC Office Hardening (created in Stage 2).¹
12. Under Assignments select All Office Users (created in Stage 1).¹
13. Import the Endpoint Security Attack Surface Reduction policy.¹
14. Navigate to Graph Explorer and authenticate.¹
15. Copy the JSON in the ACSC Windows Hardening Guidelines-Attack Surface Reduction.json and paste it in the request body. (Optional) modify the name value if necessary. Assign the policy to All Office Users.¹
16. Note: This Attack Surface Reduction (ASR) policy configures ASR rules in audit mode. ASR rules should be tested for compatibility issues in any environment before enforcement.¹

Controlling Macro Execution

1. By default, All Office users are blocked from executing macros; the block macros policy isn’t included in the Policy Set.¹
2. Create a group that contains users that are able to run Office macros if they’re signed by a Trusted Publisher. This group is referred to as: Allow macro execution - Trusted Publisher.¹
3. Save the All Macros Disabled policy to your local device.¹
4. Import a policy, under Devices > Windows > Configuration profiles > Create > Import Policy.¹
5. Name the policy, select Browse for files under Policy file and navigate to the saved policy (from step 3). Click Save.¹
6. Assign the All Macros Disabled policy to All Office Users (that was created at the start of this document).¹
7. Exclude the Allow macro execution - Trusted Publisher group (from step 2).¹
8. Import the policy to enable macros for Trusted Publishers: Macros Enabled for Trusted Publishers policy. Then assign the policy to the group: Allow macro execution - Trusted Publisher.¹
9. To import the Trusted Publisher policy, complete the following steps: a) Save the Macros Enabled for Trusted Publishers policy to your local device. b) Navigate to the Microsoft Intune console. c) Import a policy under Devices > Windows > Configuration profiles > Create > Import Policy. d) Name the policy, browse for files, and select the saved policy. e) Save. f) Assign the policy to the group: Allow macro execution - Trusted Publisher.¹
10. To add a Trusted Publisher, follow the instructions for adding a certificate to the Trusted Publishers certificate store using Intune. Create a new policy for each Trusted Publisher, and deploy to the same group: Allow macro execution – Trusted Publisher.¹
11. When signing macros, use the V3 signature.¹

Note When using Trusted Publishers, macros are restricted to those signed by a Trusted Publisher, and a separate policy is created per Publisher to simplify management and removal.

Mark of the Web and macro blocking

The following diagram describes how MOTW enforcement works for internet-origin macros:

1. User downloads a macro-enabled Office document from the internet (browser, email attachment, etc.)
2. Windows adds :Zone.Identifier ADS to the file on NTFS (ZoneId=3 = Internet zone)
3. Office detects the MOTW flag when the document is opened
4. Macro execution is blocked; the user sees “Security Risk — macros obtained from the Internet are blocked” with no option to enable
5. The file can only run macros if explicitly moved to a Trusted Location or the ADS is removed (unblocked via file properties)

[!NOTE] MOTW does not survive on FAT32 or USB/removable storage. Files copied from NTFS to FAT32 media and back lose the Zone.Identifier stream. This is a known MOTW bypass; supplement with ASR rules for defence-in-depth.

ASR rules for macro behaviour

Deploy the following Attack Surface Reduction rules in Block mode (1) to prevent macro-initiated code execution, even if MOTW is bypassed:¹

Deploy rules via Intune under Endpoint Security → Attack surface reduction as GUID=1 (Block). Start in Audit mode (GUID=2) and review the Defender for Endpoint ASR report for false positives before switching to Block.

Additional related information

• ASD Blueprint: Microsoft Office hardening provides design decisions for securing Office macros and Defender integration on Windows endpoints ASD Blueprint: Microsoft Office hardening

• Macros from the internet are blocked by default in Office Macros from the internet are blocked by default in Office

• Essential Eight application hardening provides core guidance on Office macro controls and ASR usage Essential Eight application hardening

• ASD Blueprint: Microsoft Defender describes Defender for Endpoint integration with ASR and macro hardening ASD Blueprint: Microsoft Defender

• Microsoft 365 Apps for Enterprise security baseline settings reference for Microsoft Intune (v2306) includes macro-related baseline controls Microsoft 365 Apps for Enterprise security baseline settings reference for Microsoft Intune (v2306)

• ASD Blueprint: Restrict Microsoft Office macros provides guidance on restricting macros to trusted sources ASD Blueprint: Restrict Microsoft Office macros

• Microsoft Security Bulletin MS08-014 - Critical describes macro vulnerability mitigations Microsoft Security Bulletin MS08-014 - Critical

• Microsoft Security Bulletin MS07-014 - Critical describes macro vulnerability mitigations Microsoft Security Bulletin MS07-014 - Critical