Microsoft Defender AV must be configured to block Win32 imports from macro code in Office.

An XCCDF Rule

Description

This rule blocks potentially malicious behavior by not allowing macro code to execute routines in the Win 32 dynamic link library (DLL).

ID: SV-213462r823093_rule
Version: WNDF-AV-000038
Severity: Medium
References: CCI-001170
Updated: 5 days ago

Remediation Templates

Set the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Microsoft Defender Antivirus >> Windows Defender Exploit Guard >> Attack Surface Reduction >> "Configure Attack Surface Reduction rules" to "Enabled". 

Click "Show...". Set the Value name to "92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B" and the Value to "1".