Attack Surface Reduction (ASR) is a set of security rules that block common abuse paths before malicious code can start. Instead of waiting to detect a payload after execution, ASR policies stop risky behaviors such as launching scripts from office documents, spawning child processes from trusted apps, or running content from archive-and-shortcut delivery chains.
ASR matters because many real attacks rely on predictable first steps: a user opens a lure, a shortcut or script starts a second stage, and the payload reaches command-and-control. By denying those launch patterns at the endpoint, defenders can break the chain early, even when the email or file looks legitimate. In practice, ASR is used alongside attachment filtering, application control, and user training to reduce the chances that a phishing lure turns into code execution. It is especially useful against disguised LNK files, macro-based documents, and other files that abuse normal Windows behavior.



