Microsoft 365 Secure Score

← Back to Secure Score Hub

How to Block Office Apps from Injecting Code into Other Processes

Last updated: 2026-04-24

One of the more overlooked Attack Surface Reduction rules in Microsoft Defender is the one that stops Office applications — Word, Excel, PowerPoint — from injecting code into other running processes. It sounds technical, and it is. But the risk it addresses is very real: attackers regularly abuse this capability to run malicious code in a way that looks completely legitimate. Enabling this rule is a straightforward policy change, and it'll give your Secure Score a meaningful nudge in the right direction.

Talk to TechnowandView All Secure Score Guides
Applies to: Microsoft 365 Business Premium, Microsoft Defender for Business, Microsoft 365 E3/E5. Estimated time: 20 minutes.

What You'll Achieve

Blocked Code Injection AttacksOffice applications will be prevented from injecting executable code into other processes — a common technique used in macro-based malware campaigns.
Improved Secure ScoreThis recommendation, once completed, contributes meaningful points to your Microsoft Secure Score and demonstrates active security hardening to auditors and stakeholders.
Reduced Attack SurfaceCombined with other ASR rules, this reduces the number of avenues attackers can exploit in your environment — particularly in organisations where staff regularly open external documents.

Why This Rule Matters

When an Office application injects code into another process, it essentially borrows the identity and permissions of that process. Malware authors figured this out a long time ago. A Word document with a malicious macro can use code injection to run commands through a trusted Windows process — making it much harder for traditional antivirus tools to detect.

This Attack Surface Reduction (ASR) rule was introduced by Microsoft specifically to close this gap. It operates at the kernel level via Microsoft Defender, so it doesn't interfere with normal Office functionality — documents open and run as expected, but the injection capability is blocked before it can be misused.

For Australian businesses in regulated sectors — professional services, healthcare, government supply chain — this rule also contributes to meeting the spirit of the ACSC's Essential Eight (specifically the Application Control mitigation strategy).

Microsoft Defender's ASR rules have been independently validated as effective mitigations against macro-based threats — among the most common attack vectors targeting Australian SMBs.

Before You Start

You'll need a Microsoft 365 licence that includes Microsoft Defender for Endpoint or Defender for Business — this covers Microsoft 365 Business Premium, E3 with Defender add-on, and E5. You also need Global Administrator or Security Administrator rights in your tenant. If you're unsure, check your role under Microsoft Entra ID > Roles and Administrators before starting.

Step-by-Step Instructions

Follow these five steps to enable the ASR rule and complete the Secure Score recommendation. The whole process takes around 20 minutes.

1
Screenshot required

Step 1 — Open the Microsoft Defender Portal

Sign in to security.microsoft.com using a Global Administrator or Security Administrator account. From the left-hand menu, navigate to Endpoints, then expand Configuration Management and select Endpoint Security Policies. This is where all ASR policies live.

Insert screenshot here
2
Screenshot required

Step 2 — Find or Create an Attack Surface Reduction Policy

Look for an existing Attack Surface Reduction Rules policy. If one exists, click it to edit. If not, click Create Policy, set Platform to Windows 10, 11 and Windows Server, and Profile to Attack Surface Reduction Rules. Give the policy a clear name like 'ASR — Code Injection Block'.

Insert screenshot here
3
Screenshot required

Step 3 — Enable the Code Injection Rule

Scroll to find the rule labelled Block Office applications from injecting code into other processes. Change its setting from Not Configured to Block. This maps to ASR rule GUID 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84. If you are testing in a pilot environment first, you can temporarily set it to Audit Mode to review what it would block before enforcing.

Insert screenshot here
4
Screenshot required

Step 4 — Assign the Policy to Device Groups

On the Assignments page, select the device groups this policy should apply to. For most businesses, this will be All Devices. If you started in Audit Mode, assign to a smaller pilot group first, review the audit logs in Defender's Advanced Hunting after a few days, then expand to all devices.

Insert screenshot here
5
Screenshot required

Step 5 — Confirm the Secure Score Update

Navigate to security.microsoft.com/securescore and search for the 'Block Office applications from injecting code into other processes' recommendation. Once the policy propagates — usually within a few hours, sometimes up to 24 — the recommendation will move to Completed and your score will update.

Insert screenshot here

How to Confirm It's Working

  • In Secure Score, the recommendation shows as Completed.
  • In Defender Portal → Reports → Device health, ASR rule events are visible.
  • No unexpected application behaviour reported from staff — Office opens documents normally.
  • If in Audit Mode, Advanced Hunting shows audit events under DeviceEvents with ActionType = AsrOfficeProcessInjectionAudited.

Frequently Asked Questions

What does blocking Office code injection include?

This guide specifically covers the Attack Surface Reduction rule that prevents Microsoft Office applications — Word, Excel, PowerPoint, and related apps — from injecting executable code into other Windows processes. It includes configuring the policy in Microsoft Defender, assigning it to devices, and verifying the Secure Score recommendation is marked as complete.

How long does enabling this ASR rule take?

Most organisations can complete this in around 20 minutes if they have an existing Attack Surface Reduction policy in place. If you're starting from scratch and need to create a new policy, allow up to 30 minutes. Score propagation can take a few hours after the policy is saved and assigned.

How is this different from standard IT support?

Standard IT support typically focuses on keeping systems running — helpdesk, software installs, device management. This is a proactive security hardening task. It changes your tenant's security configuration to close a specific attack vector, and it directly improves your Microsoft Secure Score. Most general IT support providers don't manage ASR policies unless they offer a dedicated security service.

Will this rule break anything for our staff using Office?

In most cases, no. This ASR rule targets the code injection capability specifically, not normal Office functionality. Staff will still open, edit, and save documents as usual. The rule only intervenes when an Office app attempts to inject code into another process — which normal document use never requires. That said, if your organisation uses custom Office add-ins or automation scripts, it's worth testing in Audit Mode first.

Is this available for Australian businesses on standard M365 plans?

Yes. Microsoft Defender for Endpoint and Defender for Business are available as part of Microsoft 365 Business Premium, E3, and E5 licences, which are widely available in Australia. If you're on Microsoft 365 Business Standard or Basic, you'll need to upgrade to Business Premium or add the Defender for Business licence to access ASR rules.

Want Help Improving Your Microsoft 365 Secure Score?

Not sure which Secure Score recommendations to tackle first? Technowand's M365 Security Assessment gives you a clear prioritised list — with implementation support included.

Book a Security AssessmentLearn About M365 Managed Services