Microsoft Office Macro Security

Download ACSC Protect Notice Microsoft Office Macro Security (290K PDF), March 2016

Table of contents


  1. Microsoft Office applications can execute macros to automate routine tasks. However, macros can contain malicious code resulting in unauthorised access to sensitive information as part of a targeted cyber intrusion.
  2. This document has been developed by the Australian Signals Directorate (ASD) to introduce approaches that can be applied by organisations to secure systems against malicious macros while balancing both their business and security requirements. The names and locations of group policy settings used in this document are taken from Microsoft Office 2013; some slight differences may exist for earlier or later versions of Microsoft Office.


  1. The Australian Cyber Security Centre (ACSC) has seen an increasing number of attempts to compromise organisations using malicious macros.
  2. Adversaries have been observed using social engineering techniques to entice users into executing malicious macros in Microsoft Office files. The purpose of these malicious macros can range from cybercrime to more sophisticated exploitation attempts.
  3. By understanding the business requirements for the use of macros, and applying the recommendations in this document, organisations can effectively manage the risk of allowing macros in their environments.

Macros explained

What are macros?

  1. Microsoft Office files can contain embedded code (known as a macro) written in the Visual Basic for Applications (VBA) programming language.
  2. A macro can contain a series of commands that can be coded or recorded, and replayed at a later time to automate repetitive tasks. Macros are powerful tools that can be easily created by novice users to greatly improve their productivity. However, adversaries can also create macros to perform a variety of malicious activities, such as compromising workstations in order to exfiltrate sensitive information.

How are macros verified and trusted?

  1. Microsoft Office has both trusted document and trusted location functions. Once trusted documents or trusted locations are defined, macros in trusted documents or macros in Microsoft Office files stored in trusted locations automatically execute when the Microsoft Office files are opened. While the use of trusted documents is discouraged, trusted locations when implemented in a controlled manner can allow organisations to appropriately balance both their business and security requirements.
  2. Microsoft Authenticode allows developers to include information about themselves and their macro code by digitally signing their macros. The certificate that is used to create a signed macro confirms that the macro originated from the signatory, while the signature itself confirms that the macro has not been altered. Digital certificates can be obtained from a commercial Certificate Authority (CA) or from an organisation’s security administrator if they operate their own CA service. It is important to note that macro code, either legitimate or malicious, can be self-signed or signed using a commercial CA.
  3. By defining trusted publishers in Microsoft Windows, organisations can allow authorised signed macros to execute without users receiving a security warning. However, unauthorised signed macros can still be executed by users if they enable the macro from the Trust Bar or Info page in the Microsoft Office application’s backstage view.

How to determine which macros to trust

  1. 11XX When determining whether to trust macros, organisations should ask themselves the following questions:
    1. Is there a business requirement for a particular macro?
    2. Has the macro been validated by a trustworthy and technically skilled party?
    3. Has the macro been signed by a trusted publisher and an approved CA?

Keep reading Approaches to securing systems against malicious macros in ACSC Protect Notice Microsoft Office Macro Security (290K PDF).

Further information

The Australian Government Information Security Manual (ISM) assists in the protection of official government information that is processed, stored or communicated by Australian government systems.

The Strategies to Mitigate Targeted Cyber Intrusions complements the advice in the ISM.


Australian government customers with questions regarding this advice can contact ASD Advice and Assistance.

Australian businesses and other private sector organisations seeking further information should contact CERT Australia.