What is the recommended approach?

To protect themselves against malicious macros, organisations should implement one of the following recommended approaches:

• all macros are disabled
• only macros from trusted locations are enabled
• only macros digitally signed by trusted publishers are enabled.

In addition to implementing one of the recommended approaches above, organisations should:

• implement application control to mitigate a malicious macro running unapproved applications
• implement email and web content filtering to inspect incoming Microsoft Office files for macros, and block or quarantine them as appropriate
• implement macro execution logging to verify only approved macros are used (e.g. by logging the execution of known file extensions such as dotm, docm, xlsm, pptm and ppsm)
• ensure users assigned to assessing the safety of macros have appropriate VBA training.