Microsoft Office is blocked from injecting code into other processes.

Property	Value
ISM Control	ISM-1669
Revision	0
Updated	Sep-21
Guideline	Not provided
Section	User application hardening
Topic	Hardening user application configurations
Essential Eight	ML2, ML3
PSPF Levels	NC, OS, P, S, TS

Summary

The control blocks Office applications from injecting code into other processes (ASR rule GUID 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84) to mitigate code-injection risks from Office components. This is implemented by enabling the ASR rule via Intune to block Office apps from injecting code into other processes. ¹²

Justification

Code injection is a core technique in Office-based malware campaigns. A malicious macro or document can use VBA’s CreateObject, CallWindowProc, or Dynamic Data Exchange (DDE) fields to:

Process hollowing — spawn a suspended svchost.exe or explorer.exe, overwrite its memory with shellcode, then resume it under the legitimate process identity.
Reflective DLL injection — load an unsigned DLL directly from a Base64-decoded buffer into another process without touching disk, bypassing file-based AV scanning.
APC injection via DDE — abuse DDE automation to queue an Asynchronous Procedure Call into a running process, executing shellcode in that process’s context.

Blocking this at the Win32 API interception layer (ASR) prevents privilege escalation and lateral movement even when the macro itself gets past initial execution controls. This rule is complementary to ISM-1668 (blocking executable content creation) and ISM-1673 (blocking Win32 API calls from macros).

Design Decision

[!NOTE] The Block Office applications from injecting code into other processes ASR rule will be implemented via Intune and deployed as an Endpoint security Attack Surface Reduction policy to block Office apps from injecting code into other processes. It will block code injection by Office apps across managed devices.

Prerequisites

Licensing

Microsoft Intune Plan 1 (included in Microsoft 365 E3+) for policy deployment via Intune. ²
Microsoft Defender for Endpoint Plan 1 or Plan 2 (or Microsoft 365 Defender) to access Advanced Hunting for monitoring ASR events.

Permissions/Roles

Access to the Microsoft Intune admin center with permissions to create and assign Endpoint Security Attack Surface Reduction policies.

Dependencies

Devices must be enrolled in Microsoft Intune and joined to Entra ID (Azure AD) or hybrid Azure AD joined.
Microsoft Defender Antivirus must be the active AV and running in Active mode (ASR rules require Defender as primary AV). ³

Implementation Steps

Enable ASR rule to block Office apps from injecting code into other processes via Intune

[!NOTE] The Block Office applications from injecting code into other processes rule (GUID 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84) is off by default. It must be explicitly enabled in Block or Audit mode. Start in Audit mode to identify any legitimate processes that inject code before enforcing Block mode.

Option A — Endpoint Security profile (recommended)

Open the Microsoft Intune console and navigate to Endpoint Security > Attack surface reduction. ²
Create a new policy: Platform: Windows 10 and later, Profile type: Attack surface reduction rules. ²
In Configuration settings, set Block Office applications from injecting code into other processes to Audit initially, then Block after validation. ³
Optionally add exclusions under Exclude files and paths from Attack surface reduction rules for any line-of-business add-ins that legitimately inject into other processes. ³
Assign the profile to the target device group and save. ²
Restart Microsoft 365 Apps for the rule to take effect. ³

Option B — Custom OMA-URI

Field	Value
OMA-URI	`./Device/Vendor/MSFT/Defender/AttackSurfaceReductionRules/75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84`
Data type	Integer
Value	`2` (Audit) → `1` (Block)

Create a Device configuration → Custom profile, add the OMA-URI row above, and assign to target groups.

Verify and monitor

Event ID	Mode	Description
1121	Block	Code injection attempt from Office was blocked
1122	Audit	Code injection attempt would have been blocked (audit mode)
5007	N/A	ASR rule configuration changed

Events appear in Applications and Services Logs → Microsoft → Windows → Windows Defender → Operational.

In Microsoft Defender for Endpoint, use Advanced Hunting:

DeviceEvents
| where ActionType startswith "AsrOfficeProcessInjection"
| project Timestamp, DeviceName, InitiatingProcessFileName, FileName, ActionType

ASD Blueprint for Microsoft Office hardening provides design guidance for Attack Surface Reduction and Office hardening in cloud-managed deployments ASD Blueprint: Microsoft Office hardening
Microsoft Defender for Endpoint security baseline settings reference for Intune explains how ASR rules merge across profiles and baselines during device policy deployment Microsoft Defender for Endpoint security baseline settings reference for Intune
Securely opening Microsoft Office documents that contain Dynamic Data Exchange (DDE) fields details how ASR can block DDE-based malware in Office documents Securely opening Microsoft Office documents that contain Dynamic Data Exchange (DDE) fields
Attack surface reduction rules reference provides in-depth descriptions of ASR rules including the Office injection code rule Attack surface reduction rules reference

🛡️ Essential 8 Guide