~/home/news/zero-click-data-theft-excel-2026-03-11
newsWednesday, March 11, 20268 min read👁 6 views

Zero-Click Data Theft: Excel’s Copilot Agent Flaw (CVE-2026-26144)

A critical information-disclosure bug (CVE-2026-26144) lets a malicious Excel file trigger Copilot Agent to exfiltrate data without any user interaction. Microsoft patched it in March 2026; immediate mitigation is to apply the update or disable Copilot.

Microsoft ExcelCopilotCVE-2026-26144Zero-clickInformation Disclosure

Overview/Introduction

Microsoft’s integration of AI-driven Copilot into Office applications promised a productivity boost, but it also introduced a new attack surface. On 10 March 2026, Microsoft disclosed a critical-severity vulnerability in Microsoft Excel (CVE-2026-26144) that allows a malicious spreadsheet to weaponise the Copilot Agent and silently steal data. The flaw is a classic zero-click information-disclosure issue: the exploit requires no user interaction beyond the normal handling of an Excel file and can exfiltrate data via the built-in network egress capabilities of Copilot.

Technical Details

The vulnerability is a cross-site scripting (XSS) flaw in the Excel rendering engine that is triggered when a specially crafted workbook is opened, even in preview mode. When the workbook is parsed, the malicious payload injects JavaScript-like content into a hidden Office.js context. Because Copilot Agent runs as a privileged background service with outbound network permissions, the injected script can invoke the agent’s fetch API and send arbitrary cell contents to an attacker-controlled server.

  • CVE Identifier: CVE-2026-26144
  • CVSS Score: 9.8 (Critical)
  • Attack Vector: Network-required, no user interaction (zero-click)
  • Privileges Required: None - the exploit works under the context of the logged-in user
  • Impact: Confidentiality breach - arbitrary data from the workbook and, potentially, from other Office files opened in the same session can be exfiltrated.

The exploit chain can be summarised as follows:

1. Attacker hosts malicious.xlsx on a web server or sends it via email.
2. Victim's Excel (with Copilot enabled) automatically parses the file - preview pane or background indexing can trigger parsing.
3. Embedded XSS payload reaches the Copilot Agent sandbox.
4. Agent’s network egress routine issues an HTTPS request to attacker-controlled C2.
5. Data from the workbook (including hidden sheets, formulas, and linked external data) is streamed out.

Because Copilot Agent is designed to communicate with Microsoft’s cloud services, its outbound traffic is often allowed through corporate firewalls. The exploit therefore bypasses typical application-layer controls and appears as legitimate Azure traffic.

Impact Analysis

Any organisation that relies on Excel for processing sensitive data - financial statements, HR records, intellectual property, or operational metrics - is at risk. The flaw does not require administrative privileges, so even low-privilege accounts can be leveraged to harvest data from high-value spreadsheets.

  • Enterprise users: Potential leakage of confidential financial models, P&L statements, and customer data.
  • SMBs: Exposure of payroll spreadsheets, tax filings, and vendor contracts.
  • Individuals: Personal finance trackers, medical records stored in Excel, or any personally identifiable information (PII) saved locally.

The zero-click nature means traditional security awareness training (e.g., “don’t open suspicious attachments”) is ineffective. Attackers can embed the malicious workbook in legitimate-looking documents or deliver it via cloud-share links that users click without opening the file directly.

Timeline of Events

  • Early March 2026: Researchers at the Zero Day Initiative (ZDI) identify the XSS flaw during internal testing of Copilot integrations.
  • 10 March 2026: Microsoft publicly discloses CVE-2026-26144 in its March Patch Tuesday bulletin and releases the security update (KB502XXXX).
  • 10 March 2026 - 12 March 2026: Security vendors publish analyses, highlighting the zero-click exfiltration vector.
  • Mid-March 2026: Early adopters report detection of anomalous outbound traffic from Excel processes in network monitoring tools.
  • Late March 2026: No confirmed active exploitation in the wild, but threat intel predicts rapid weaponisation by financially motivated actors.

Mitigation/Recommendations

Microsoft’s patch addresses the XSS parsing logic and adds stricter validation of Copilot-generated network calls. Organizations should adopt a layered response:

  1. Patch immediately: Deploy the March 2026 cumulative update (KB502XXXX) to all Windows 10/11 and Microsoft 365 installations.
  2. Disable Copilot where not essential: In Office admin settings, turn off “Copilot Agent” for Excel until the patch is verified in the environment.
  3. Restrict outbound traffic: Implement firewall rules that block unauthorised egress from EXCEL.EXE and CopilotAgent.exe, allowing only Microsoft-approved endpoints.
  4. Monitor network anomalies: Use IDS/IPS signatures to alert on HTTPS requests from Excel processes to non-Microsoft domains.
  5. Apply least-privilege policies: Ensure users run Excel with standard user rights, not as administrator.
  6. Educate users: While the attack is zero-click, the presence of a malicious workbook can still be a phishing lure. Encourage verification of file sources.

For organisations that cannot patch immediately, a temporary mitigation is to set the Group Policy “Block all outbound network connections for Office applications” and to enforce “Protected View” for files originating from the internet.

Real-World Impact

Consider a multinational investment firm that stores quarterly earnings models in Excel workbooks on a shared drive. An attacker sends a malicious workbook disguised as a “market outlook” report. Because the firm’s firewall allows Excel to reach Microsoft’s cloud, the Copilot Agent silently uploads the model’s formulas, cell values, and embedded macros to the attacker’s server. The firm suffers a breach of proprietary financial algorithms, giving competitors an unfair advantage and exposing client-level data.

In a healthcare context, a hospital using Excel to track patient medication schedules could have PHI exfiltrated, triggering HIPAA violations and heavy fines. The zero-click nature bypasses email-gateway scanners, making detection difficult until network traffic analysis reveals the anomaly.

Expert Opinion

As a senior cybersecurity analyst, I view CVE-2026-26144 as a watershed moment for AI-augmented productivity tools. The integration of large-language-model-driven agents into desktop applications introduces privileged network capabilities that were previously reserved for server-side services. When those agents are coupled with a client-side parsing bug, the result is a powerful, stealthy data-exfiltration channel.

Two broader lessons emerge:

  1. AI components must be sandboxed with the same rigor as any remote code execution vector. Microsoft’s decision to grant Copilot Agent outbound network rights by default creates a “trusted-by-default” tunnel that attackers can abuse.
  2. Zero-click attacks will become the new normal for high-value data theft. Traditional security hygiene-user training, macro blocking, and email filtering-won’t stop exploits that fire during file metadata processing.

Enterprises should accelerate adoption of “Zero Trust” networking for Office suites, enforce strict egress controls, and consider disabling AI assistants until mature, audited security controls are in place. The industry must also push for transparent telemetry from AI agents so that anomalous behaviour can be detected in real time.

In short, the Excel Copilot bug underscores that the convenience of AI assistants comes with a cost. Prompt patching, vigilant network monitoring, and a cautious approach to enabling AI features are the only viable defenses today.