The threat landscape facing organisations in 2025 is ever changing and cybersecurity strategies must evolve beyond the detection and response priorities of earlier systems. Threat actors often exploit common place and benign looking behaviours, such as running scripts or office macros, to infiltrate and exploit systems. A powerful first line of defence against such attacks is a necessity in this day and age. It is imperative that our security focus is pre-emptive as well as reactive, and Microsoft Defenders Attack Surface Reduction capabilities is a powerful first line of defence against these threats.
Attack Surface Reduction rules are predefined behaviour based security policies set up within Microsoft Defender for Endpoint. The aim is to limit commonly exploited activities, programs and threats by blocking, or auditing, suspicious activities before they can take place.
ASR rules are split into two categories by Microsoft.
Standard Protection Rules, essential rules that Microsoft recommends enabling first, as they should have minimal impact on operations, but will deliver significant security protections. These include.
• Blocking Credential Theft via Lsass.exe
• Preventing Persistence via WMI events
• Blocking abuse of vulnerable signed drivers
Advanced Protection Rules, rules that will likely require extensive testing, in audit mode, and may require exceptions to be added. These rules require careful monitoring and tuning to avoid disruption of workflows. These can include.
• Blocking Win32 API calls from Office Macros
• Blocking script execution
• Preventing execution from untrusted media (usb drives etc)
• Blocking executable files that do not meet age/trusted list/prevalence criteria
• Blocking office from generating child processes
It is recommended to enable Advanced Protection Rules in audit mode to begin with and gradually enable them only after confirming they will not impact workflows.
ASR rules protect against threats that can often lead to high level compromises of the network, including.
• Malicious Script Execution
• Office Based Threats
• Credential Thefts
• Exploited Drivers
• USB delivered malware
• Persistence mechanisms
• Lateral movement tools
Here are two hypothetical real-world scenarios, that Attack Surface Reduction rules stop each and every day across the globe.
Scenario 1 – Ransomware Delivered via Office Macro
Jane is an employee at a small startup, when opening her emails in the morning she inadvertently opens and downloads a file from a malicious phishing e-mail. Opening the excel file labelled “payroll.xlsx” the excel file attempts to run a macro, which is designed to open PowerShell and download ransomware from a c2 server located overseas.
Without ASR rules, this could trigger a full-scale ransomware incident. However, if the following ASR rules were in place, the attack would have been blocked:
• Block Office apps from creating child processes – stops PowerShell from launching
• Block execution of potentially obfuscated scripts – prevents the PowerShell script
• Block Win32 API calls from Office macros – stops the macro from executing entirely
Even one of these rules, properly configured, could prevent the attack before it causes damage.
Scenario 2 – Malware via USB Device
Steve, an IT assistant at a local school, is tidying up the parking lot when he stumbles upon an unlabelled USB drive on the ground. Curious and wanting to check its contents (and potentially return it), he plugs it into his workstation to inspect the files. Unbeknownst to him, the USB contains malware that immediately installs a hidden backdoor designed to harvest student and staff credentials.
Without ASR rules in place, the malware silently executes and establishes a foothold, potentially spreading across the school's network, compromising sensitive records, and disrupting daily operations.
With ASR rules in place, the attack would be stopped at the source:
• Block untrusted and unsigned processes from USB – prevents execution from the USB
• Block executable files unless they meet prevalence, age, or trusted-list criteria
• Block execution of potentially obfuscated scripts
These rules work together to stop malicious files from running, keeping the school’s systems and personal data safe.
ASR rules are a powerful first line of defence—but they’re not plug-and-play. Effective implementation requires:
• Careful planning
• Testing in audit mode
• Tuning for operational compatibility
• Ongoing monitoring
This is where Spartans Security comes in.
With our deep experience in Microsoft Defender technologies, we can help your business design, implement, and fine-tune ASR rules to deliver strong protection with minimal disruption.
