This article is the sixth in an eight-part series examining the Australian Cyber Security Centre’s Essential Eight — a baseline set of mitigation strategies recommended for all Australian organisations.
Microsoft Office macros are small programs embedded within documents — spreadsheets, Word files, presentations — that automate repetitive tasks. For decades, they have also been one of the most reliable delivery mechanisms for malware. The sixth Essential Eight strategy addresses this directly: restrict macros to the narrow set of circumstances where they are genuinely required, and block them everywhere else.
What the Strategy Requires
The ACSC’s guidance on macro restriction is tiered by business need and risk. At Maturity Level One, macros sourced from the internet must be blocked entirely. Macros that are genuinely required for business operations must be stored in trusted locations with limited write access, or be digitally signed by a trusted publisher.
At higher maturity levels, the controls tighten further. Macros must be signed by certificates from trusted publishers only — not merely any digital signature — and the ability to modify content in trusted locations is restricted to privileged users who can validate that macros are free of malicious code. At Maturity Level Three, logging of macro execution provides visibility for detection and response.
The ACSC’s underlying position is clear: the default state for macros should be disabled. Any business that has not consciously assessed its macro usage and applied restrictions is running with a broad attack surface that could be closed at negligible cost.
Why Macros Remain a Persistent Threat Vector
Macros became a dominant malware delivery mechanism because they are effective and because they exploit legitimate functionality. An attacker who convinces a user to open a macro-enabled document and click “Enable Content” has, in that moment, been granted the ability to execute arbitrary code on that user’s machine — code that runs in the context of the user’s account, can access network resources, and can download additional payloads from the internet.
Emotet, one of the most prolific and damaging malware families of the past decade, relied primarily on macro-enabled Office documents distributed via phishing email. It infected millions of systems globally, served as a loader for ransomware, and caused billions of dollars in damages. It was not technically sophisticated — it depended on users enabling macros in documents they should not have opened.
The persistence of this vector reflects how many organisations have never evaluated their macro exposure. Emotet continued to succeed long after macro-based delivery was well understood, because the default Office configuration in many environments still permitted it.
Balancing Restriction with Legitimate Business Need
Some organisations have genuine operational requirements for macros — finance teams using complex Excel automation, or industry-specific tools built on Office macro functionality. The strategy does not require eliminating macros entirely; it requires controlling them.
A practical approach begins with an audit: which staff actually use macros, for which applications, and is that functionality genuinely necessary? In most SMB environments, the answer reveals that macro usage is concentrated in a small number of roles, and that the remainder of the organisation can have macros disabled without any operational impact.
For those with legitimate needs, the path forward is digitally signed macros from trusted publishers, stored in controlled locations — not a blanket permission that applies to every document from every source.
Macros, Application Control, and Layered Defence
Application control, covered in the previous article, prevents unauthorised executables from running. Macro restriction addresses a gap that application control alone does not close: malicious code embedded in documents that are opened by permitted applications.
A macro-enabled Word document opened by Microsoft Word — an approved application — is not blocked by application control. Macro restriction is the complementary control that addresses this specific delivery mechanism.
This series continues with Essential Eight #7: User Application Hardening.
Further reading: ACSC Essential Eight, Luminol Cyber
