We have a spreadsheet the whole finance team uses that relies on macros. What happens?

We discover it in the audit phase, evaluate whether it can be rebuilt without macros (often yes), and if not, we digitally sign the macro and allowlist the signer's certificate. That's a one-off project of a few hours, not a blocker for rollout.

What's the risk if we skip this control?

Macro-delivered ransomware has been a top-three attack vector in Australian SME compromise for over a decade. A user opens an Office file from an email, macros fire, credentials or data are exfiltrated before anyone notices. Proper macro configuration removes the whole attack surface. Skipping it leaves one of the cheapest and most common attack paths wide open.

Does this apply to Excel files from clients?

Particularly those. Files from the internet (email, web download, external USB) get macros blocked by default regardless of user policy. That's the specific ACSC rule and the one that catches real compromise attempts in practice.

Essential Eight · Control 03 of 08

Configure Microsoft Office macro settings

Stopping the little automation scripts inside Word and Excel from running unless they're from a trusted source.

Why this control matters

Macros have been the delivery mechanism for financially-motivated ransomware for over a decade. The features that make macros useful are the same features that make them dangerous. Configuring them properly removes an entire class of attack with very little day-to-day impact on business users.

The three maturity levels

Configure Microsoft Office macro settings at Essential Eight ML1, ML2 and ML3.

These are the published ACSC requirements for this specific control at each maturity level. Your overall Essential Eight maturity is scored against your weakest control, not averaged, so a gap here pulls down the whole score.

ML1 The 2026 baseline

Macros are disabled for users who don't have a business requirement. Macros in files originating from the internet are blocked. Macro antivirus scanning is enabled.

ML2 Regulated or under audit

Macros are only enabled for users with a business requirement via a managed allowlist. Macros are checked by antivirus before execution. Macro use is logged.

ML3 Defence or sensitive

Only digitally signed macros from trusted publishers run. Signed macros are validated. Macro execution is logged centrally.

Not sure which level you should aim for?

The three-question picker on the Essential Eight hub will point you at the right target based on your regulatory position and the kind of data you hold.

Take the maturity picker

How we run it

The way CCP implements configure microsoft office macro settings for clients.

We use Microsoft 365 security baselines to disable macros for users who don't need them. For users who do (typically finance or reporting roles), we either allowlist specific files via Intune or require digital signatures for macros. The configuration is tied to Azure AD groups, so when someone's role changes, their macro policy changes with them.

Talk to a tech about this control See which plan includes it

Free self-assessment

No email required.

Score yourself on all eight controls, get a branded PDF.

Eight questions, your estimated Essential Eight maturity level, and a branded PDF report you can share with your board, insurer, broker or auditor. Runs entirely in your browser. Nothing is sent to us unless you choose to book a call.

Take the self-assessment

Common questions

What people actually ask about configure microsoft office macro settings.

We have a spreadsheet the whole finance team uses that relies on macros. What happens?: We discover it in the audit phase, evaluate whether it can be rebuilt without macros (often yes), and if not, we digitally sign the macro and allowlist the signer's certificate. That's a one-off project of a few hours, not a blocker for rollout.
What's the risk if we skip this control?: Macro-delivered ransomware has been a top-three attack vector in Australian SME compromise for over a decade. A user opens an Office file from an email, macros fire, credentials or data are exfiltrated before anyone notices. Proper macro configuration removes the whole attack surface. Skipping it leaves one of the cheapest and most common attack paths wide open.
Does this apply to Excel files from clients?: Particularly those. Files from the internet (email, web download, external USB) get macros blocked by default regardless of user policy. That's the specific ACSC rule and the one that catches real compromise attempts in practice.

Related controls

Related Essential Eight controls that work alongside this one.

See all eight

Control 04

User application hardening

Turning off features in web browsers and Office that attackers commonly abuse.

Read the control

Control 01

Application control

Only letting approved programs run on your computers. Everything else is blocked by default.

Read the control

Control 07

Multi-factor authentication

Requiring something more than a password to log in (a code, a key, an app).

Read the control

These ML1 / ML2 / ML3 summaries distil the ACSC's published Essential Eight Maturity Model. For the full, authoritative text, see the ACSC Essential Eight Maturity Model .

The qualifier

Let's see if we're a fit.

Seven questions, one moment of your time. We'd rather tell you now than three months in.