Updates to attack surface reduction rules for Office apps
Published May 15 2019 06:03 AM 5,988 Views

Attack surface reduction rules help prevent malware from infecting computers with malicious code. Some of these rules aim to reduce your attack surface while you’re using Office applications. You can read about the full list here: Reduce attack surfaces with attack surface reduction rules.


We’re extending a few of these rules to include Office 365 desktop apps from the Microsoft Store (known as Office Centennial apps):

  • Block all Office applications from creating child processes
  • Block Office communication application from creating child processes

No action is required if you are already running Office Centennial apps and have any of these rules enabled in either audit or block mode. We’ll be doing a gradual rollout managed via our cloud. You shouldn’t see any change in your environments if you are not running Office Centennial apps.


The following rules are already enabled for Office Centennial apps:

  • Block Win32 API calls from Office macro
  • Block Office applications from creating executable content

You can see how these rules work right now by reading our previous blog post on how to configure, evaluate, and deploy the new rules, and you can go through the evaluation guide on the Windows Defender ATP test ground at https://demo.wd.microsoft.com.


Version history
Last update:
‎May 15 2019 03:15 PM
Updated by: