Essential Eight · Control 3
3.Configure Microsoft Office Macro Settings
Last reviewed:
Block macros from the internet and only allow digitally signed macros where required.
Why this mattersMacro-based malware remains a prevalent initial-access vector. The Nov 2023 update requires V3 digital signatures at ML3 — V2-signed macros no longer satisfy the highest tier.
Maturity-level breakdown
Maturity Level 1
Microsoft Office macros are disabled for users that do not have a demonstrated business requirement. Macros in files originating from the internet are blocked. Microsoft Office macro antivirus scanning is enabled.
Maturity Level 2
Only Microsoft Office macros running from within a sandboxed environment, a Trusted Location, or that are digitally signed by a trusted publisher are allowed to execute. Microsoft Office macro security settings cannot be changed by users.
Maturity Level 3
Only Microsoft Office macros running from within a sandboxed environment, a Trusted Location, or that are digitally signed using a V3 signature are allowed to execute. The "Only trust VBA macros that use V3 signatures" policy is enabled.
Common gaps we see at ML2 assessments
- Macros enabled for all users by default (no business-requirement gate)
- V2 signatures still accepted at ML3 — V3 enforcement not configured
- No documented approval process for legitimate business macros