Excel XSS Bug Weaponizes Copilot for Zero-Click Data Theft

A cross-site scripting vulnerability in Microsoft Excel can weaponize Copilot Agent to silently exfiltrate sensitive data without any user interaction. Microsoft patched CVE-2026-26144 in its March 2026 Patch Tuesday release, but the attack vector represents a new category of AI-assisted exploitation that security teams need to understand.

How the Attack Works

The vulnerability stems from improper neutralization of input during web page generation inside Excel. User-controlled content within a workbook gets transformed into markup or script that Excel fails to sanitize before rendering or processing.

Combined with indirect prompt injection, an attacker can craft a malicious Excel file that causes Copilot Agent to make network requests disclosing data to an attacker-controlled endpoint. The file doesn't need to be opened—exploitation can occur through:

• Automatic file preview in email clients
• Background document processing in SharePoint
• Server-side ingestion workflows
• OneDrive sync operations

The Register described it as a "novel attack vector weaponizing AI agents within Office applications." The CVSS score of 7.5 reflects the no-user-interaction requirement combined with network-based data exfiltration.

The Copilot Angle

What makes CVE-2026-26144 particularly concerning is how it abuses AI assistance features that many organizations have enabled by default. Copilot Agent mode operates with elevated trust, processing document content to help users with tasks. The vulnerability hijacks this processing pipeline.

When Copilot parses a malicious workbook, the XSS payload tricks it into making HTTP requests that embed spreadsheet data in the request URL or body. Because the requests originate from a legitimate Microsoft process, they may bypass data loss prevention tools looking for unusual exfiltration patterns.

This attack mirrors concerns we covered in the font rendering attack that poisoned AI assistants last week. AI integrations are expanding the attack surface faster than security teams can audit them.

Corporate Risk Assessment

Information disclosure vulnerabilities often get deprioritized below RCE bugs, but this one deserves urgent attention. Excel files routinely contain:

• Financial projections and budgets
• Employee compensation data
• Customer lists and pricing
• M&A due diligence materials
• Intellectual property

The zero-click nature means a single malicious attachment forwarded through an organization can silently harvest data from every recipient whose system previews or processes it. And because the exfiltration happens through Copilot, it may appear as normal AI telemetry in network logs.

Mitigation Steps

Microsoft's March patches should be applied immediately. For organizations that cannot patch right away:

1. Disable Copilot Agent functionality in Excel until patches deploy
2. Restrict outbound network traffic from Office applications at the firewall level
3. Monitor for unusual HTTP requests generated by Excel processes, particularly to unfamiliar domains
4. Disable automatic file preview in Outlook and SharePoint where possible
5. Alert security teams to investigate any Excel-originated network traffic to external hosts

The March 2026 Patch Tuesday release addressed 83 CVEs total, including two publicly disclosed zero-days. CVE-2026-26144 wasn't among the zero-days, but given the attack surface expansion it represents, organizations should treat it with similar urgency.

The Bigger Picture

This vulnerability is a preview of challenges ahead. As AI assistants get embedded deeper into productivity software, each integration creates potential for prompt injection and data leakage. Security teams built their detection capabilities around traditional malware patterns—they now need to account for AI systems being manipulated into acting as exfiltration channels.

Microsoft's rapid response deserves credit, but the underlying issue remains: AI agents processing untrusted content with network access will keep generating novel attack surfaces. Organizations adopting Copilot and similar tools need to factor this expanded risk into their threat models.

The advice from last year about carefully evaluating browser extension security now applies equally to AI integrations. Trust boundaries that seemed clear become ambiguous when AI can be tricked into crossing them.