Microsoft Office macros are blocked from making Win32 API calls.

Property	Value
ISM Control	ISM-1673
Revision	0
Updated	Sep-21
Guideline	Not provided
Section	User application hardening
Topic	Microsoft Office macros
Essential Eight	ML2, ML3
PSPF Levels	NC, OS, P, S, TS

Summary

Microsoft Office macros are blocked from making Win32 API calls by enabling the Block Win32 API calls from Office macros ASR rule (GUID 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B), preventing a common malware technique used by macro-based attacks. This policy is implemented through Intune as part of Attack Surface Reduction configurations.¹²³

Justification

VBA macros can call Windows API functions directly via Declare statements or by instantiating COM objects (CreateObject). This capability is routinely abused by malware to:

Execute shell commands (CreateProcess, WinExec, ShellExecute).
Download payloads from the internet (URLDownloadToFile, InternetOpenUrl).
Allocate and write shellcode into process memory (VirtualAlloc, WriteProcessMemory).
Spawn child processes or inject into running processes to evade detection.

Blocking Win32 API calls at the ASR interception layer stops these techniques at the source — the macro — before the call reaches the OS kernel. Combined with ISM-1672 (AMSI-based macro scanning) and ISM-1671 (macros disabled for most users), this rule provides defence-in-depth for the Office macro attack chain.

This rule covers Word, Excel, PowerPoint, Outlook, Access, and Publisher.

Design Decision

[!NOTE] The ACSC Windows Hardening Guidelines-Attack Surface Reduction.json policy will be deployed via Intune to enable the ASR rule Block Win32 API calls from Office macros. This will block Office macros from making Win32 API calls in accordance with ACSC Office Hardening guidance.

Prerequisites

Licensing

Microsoft Intune Plan 1 (included in Microsoft 365 E3+) for policy deployment via Intune.¹
Microsoft Defender for Endpoint Plan 1 or Plan 2 to access Advanced Hunting for monitoring ASR events.

Permissions/Roles

Access to the Microsoft Intune administrative console to create/import and assign policies.¹

Dependencies

Microsoft Defender Antivirus (required by ASR rules).⁴
AMSI (Antimalware Scan Interface; required by ASR rules).⁴
Devices must be enrolled in Entra ID (Azure Active Directory) and/or hybrid Azure AD joined.¹

Implementation Steps

Enable ASR rule to block Win32 API calls from Office macros

[!WARNING] Start in Audit mode. A Windows Defender update in January 2023 (builds 1.381.2134 – 1.381.2163) caused this rule to delete .lnk shortcut files from apps including Outlook, Word, and Excel. Apply Defender intelligence update 1.381.2164 or later before enforcing Block mode. Deploy exclusions for any line-of-business Office add-ins that legitimately use Win32 API calls.

Option A — Endpoint Security profile (recommended)

In Intune, navigate to Endpoint Security > Attack surface reduction.²
Create a new policy: Platform: Windows 10 and later, Profile type: Attack surface reduction rules.²
Locate Block Win32 API calls from Office macros and set it to Audit initially, then Block after validation. ³
Assign the profile to the target device group and save.²

Option B — Custom OMA-URI

Field	Value
OMA-URI	`./Device/Vendor/MSFT/Defender/AttackSurfaceReductionRules/92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b`
Data type	Integer
Value	`2` (Audit) → `1` (Block)

Create a Device configuration → Custom profile, add the OMA-URI row, and assign to target groups.

Using the ACSC JSON (existing workflow)

The ACSC Windows Hardening Guidelines ASR JSON already includes this rule. If the ACSC ASR policy is deployed per the ISM-1672 prerequisites, simply confirm the GUID 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B is set to 1 (Block) in the imported policy.

Verify the rule is active

Get-MpPreference | Select-Object -ExpandProperty AttackSurfaceReductionRules_Ids
Get-MpPreference | Select-Object -ExpandProperty AttackSurfaceReductionRules_Actions

The GUID 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B should appear with Action 1 (Block) or 2 (Audit).

Monitor

Event ID	Mode	Description
1121	Block	Win32 API call from Office macro was blocked
1122	Audit	Win32 API call would have been blocked (audit mode)
5007	N/A	ASR rule configuration changed

Events appear in Applications and Services Logs → Microsoft → Windows → Windows Defender → Operational.

In Microsoft Defender for Endpoint, use Advanced Hunting:

DeviceEvents
| where ActionType startswith "AsrOfficeMacroWin32ApiCall"
| project Timestamp, DeviceName, InitiatingProcessFileName, FileName, ActionType

ASD Blueprint: Restrict Microsoft Office macros provides ASD-based controls to restrict macro execution ASD Blueprint: Restrict Microsoft Office macros
ASD Blueprint: Microsoft Office hardening describes design decisions for Windows 10 and Office hardening guidance ASD Blueprint: Microsoft Office hardening
Enable attack surface reduction rules provides guidance to enable ASR policies and references for common Office macro protections Enable attack surface reduction rules
Windows settings you can manage through an Intune Endpoint Protection profile covers policy options you can configure for endpoint protection including ASR-related settings Windows settings you can manage through an Intune Endpoint Protection profile
Essential Eight configure Microsoft Office macro settings describes how macro activity is logged and correlated with Defender for Endpoint detections when ASR policies are deployed Essential Eight configure Microsoft Office macro settings

🛡️ Essential 8 Guide