This policy applies a curated set of Microsoft Defender Attack Surface Reduction (ASR) rules across Office applications. The mix of Block and Audit actions allows for telemetry‑based tuning before enforcing more disruptive rules.

It is assigned to the group:

(Your "medium impact" or "Office hardening staging" group.)

It uses the Endpoint Security → Attack Surface Reduction Rules template.

Below is a structured breakdown of each ASR rule defined in the payload.

These stop high-risk behaviour outright.

✔ Extremely effective against macro malware
✔ Shuts down Office → cmd.exe / powershell / mshta / rundll32 chains
✔ High impact but high security return

✔ Prevents Office from writing .exe, .dll, .ps1, .vbs, .hta, etc.
✔ Stops droppers and embedded payload generation

✔ Prevents script languages from triggering payloads
✔ Very effective for both phishing and drive‑by attacks

✔ Prevents credential scraping behaviour
✔ Far beyond Office–but necessary for modern E8 M2+ environments

✔ Additional protection for Outlook, Teams add-ins
✔ Complements the “block all Office apps” rule

✔ Same as your dedicated PDF hardening policy
✔ Great overlap for risk reduction
✔ You now enforce this in two policies — intentional redundancy is okay but not required

These are enabled in Audit mode so you can analyse impact before deciding to Block.

⚠️ Blocking this can break legitimate workflows in Outlook
Audit now → Block later

Audit first because some Office add-ins depend on controlled injection.

Audit required because PowerShell frameworks (e.g., MDT/ConfigMgr scripts) sometimes get flagged.

High value but can break internal macro solutions → good call to audit.

This rule is excellent for Zero Trust workloads but can disrupt LOB applications.

Good visibility rule; blocking affects sysadmin/automation tooling.

Blocking this can break legitimate monitoring/logging frameworks.

This profile provides:

Using Block for universally safe rules and Audit for risky ones is exactly what Microsoft and ACSC recommend for: