November 2025

Macros: Small Files, Big Risks

This article is the sixth in Matrium Technologies’ Essential Eight Blog Series, where we unpack each of the Australian Cyber Security Centre’s (ACSC) eight key mitigation strategies. Our goal is to help business leaders understand what each control means, why it matters, and how to apply it effectively.

In this instalment, we examine Restricting Microsoft Office Macros - a simple yet critical step in defending against one of the most common and successful attack techniques: malicious attachments.

What “Restrict Microsoft Office Macros” Really Means

Microsoft Office macros are small scripts embedded in Word, Excel, and PowerPoint documents. They’re designed to automate tasks - like generating reports or formatting data - but attackers often abuse them to run malicious code the moment a user opens a file.

Restricting macros means controlling where and how they can run. In practice, this means blocking all macros by default and only allowing those that come from trusted, verified sources.

For executives, this control is about balancing productivity with protection - ensuring legitimate automation continues while shutting down one of the most exploited cyberattack vectors.

Why It Matters for Your Business

• Macros are a favourite weapon for attackers – They’re often used in phishing emails disguised as invoices, resumes, or delivery notifications.

• They can bypass traditional security tools – Once enabled, malicious macros can download ransomware or steal credentials.

• Email-borne malware is still the #1 entry point – Most breaches begin with a user opening a document they think is safe.

• Staff trust familiar formats – Because Office files are common, users are more likely to click “Enable Content,” unaware of the danger.

Restricting macros removes this risk before it ever reaches your systems.

Practical Steps to Implement

Getting macro security right involves combining technical controls with user awareness:

1. Disable macros by default – Configure Microsoft Office to block all macros from the internet.

2. Digitally sign approved macros – Allow only macros that are digitally signed by trusted developers within your organisation.

3. Separate business and personal use – Prevent users from opening Office documents from personal email or external sources on corporate systems.

4. Train staff – Educate employees on why macros are restricted and how attackers use them.

5. Monitor and review – Regularly check Group Policy and system logs to ensure restrictions remain in place.

The Maturity Journey

The Essential Eight Maturity Model outlines how organisations can evolve their macro protection over time:

• Maturity Level 1 (Basic Protection): Macros from the internet are blocked, and users are prevented from enabling them manually.

• Maturity Level 2 (Improved Protection): Only macros digitally signed by trusted publishers or internal developers are allowed to run.

• Maturity Level 3 (Strongest Protection): Macros are disabled for all users unless there is a verified business requirement. Execution is centrally managed and logged, and trusted locations or digital certificates are enforced organisation-wide.

This staged approach helps organisations progressively eliminate one of the most common attack entry points while maintaining legitimate business functions.

Final Word

Macros may seem harmless, but they’ve been the launch point for countless ransomware and data theft incidents. By restricting them, you remove an entire class of threats with a single policy.

For business leaders, this control represents one of the highest returns on security investment - low effort, high impact, and fully aligned with the Essential Eight framework.

This is the sixth article in Matrium’s Essential Eight Blog Series. Next, we’ll explore User Application Hardening - how to reduce risk by disabling exploitable features in common software like browsers and PDF readers.

Matrium Technologies helps organisations achieve and maintain Essential Eight compliance, providing expert guidance to restrict macros, harden applications, and build long-term cyber resilience.