If you use Microsoft Excel with Copilot, there’s a critical security update you need to install immediately. Microsoft’s March 2026 Patch Tuesday fixes a vulnerability that lets attackers weaponize the AI assistant to silently steal your data — no clicks required.
Tracked as CVE-2026-26144, the flaw is a cross-site scripting (XSS) bug buried in how Excel generates web content. An attacker who gets a malicious file onto your system can trigger it just by having you preview the file in Windows Explorer or your email client. The result: Copilot can be manipulated into phoning home with sensitive information, all without you ever opening the file or noticing anything unusual.
What Microsoft Fixed
At core, CVE-2026-26144 is an improper input neutralization during web page generation inside Excel. That’s tech-speak for a classic XSS vulnerability — the same kind that’s plagued websites for decades. But instead of a browser, this one lives inside a desktop productivity app that now hosts a powerful AI agent.
Microsoft’s advisory explains that an attacker with network access to a vulnerable system can craft content that, when rendered by Excel, injects script into the application’s internal web views. That script can then command the Copilot Agent to perform unintended network requests — reading workbook cells, querying document metadata, or summarizing local data — and exfiltrate the results to a remote server.
Because the attack requires no user interaction — a simple file preview is enough — Microsoft rated the vulnerability Critical despite it being an information disclosure rather than a remote code execution flaw. The patch, part of the March 2026 Office security roll-up, corrects the input sanitization so that attacker-controlled strings can’t break out of their intended context and hijack the agent.
The Attack Chain: How Data Gets Stolen
To understand the risk, follow the steps an attacker would take:
- Craft a poisoned Excel file — This could be a workbook containing a specially formatted cell, chart, or embedded web content. The payload exploits the XSS when Excel renders the file’s HTML representation (for previews, accessibility views, or Copilot context windows).
- Deliver it to the victim — Common vectors: email attachment, a link to a shared document on a compromised SharePoint or OneDrive, or a file dropped on a network share.
- Victim previews the file — This is the zero-click moment. Previewing in Windows Explorer, Outlook’s reading pane, or even having the file indexed can cause Excel’s rendering engine to process the malicious markup.
- Copilot gets compromised — The injected script runs in a context trusted by Copilot. It can invoke the agent to “analyze” the workbook, fetch related data from the local system, or perform lookups — then forward the results to an attacker-controlled URL.
- Exfiltration completes silently — The outbound request looks like legitimate agent traffic. There are no pop-ups, crashes, or obvious signs for the user.
Dustin Childs, head of threat awareness for Trend Micro’s Zero Day Initiative, called the scenario “fascinating” and noted “an attacker could use it to cause the Copilot Agent to exfiltrate data off the target.” Alex Vovk, CEO of Action1, added that “attackers could silently extract confidential information from internal systems without triggering obvious alerts.”
Who Should Worry?
The short answer: anyone with Microsoft 365 Copilot enabled who hasn’t yet installed the March 2026 updates. But the risk escalates in certain environments:
- Business and enterprise users are the prime target because Copilot is widely deployed for productivity gains, and they hold sensitive corporate data.
- Home users may not be immune — personal financial spreadsheets, legal documents, or private correspondence can be stolen if they use Copilot-enabled accounts.
- Organizations with permissive network egress (i.e., few restrictions on outbound web traffic from workstations) face higher exposure because the exfiltration traffic blends in easily.
- Anyone previewing files from untrusted sources — even if you never double‑click, just selecting a file and seeing a thumbnail can trigger the bug.
Microsoft confirmed that the attacker needs network access to the target, but that’s a low bar: the attacker could be on the same Wi‑Fi, have compromised an internal server, or simply lure you into previewing a file hosted on a cloud service.
Why This Flaw Matters Now
CVE-2026-26144 isn’t the first XSS bug, nor the first Office vulnerability. It’s the composition that makes it a bellwether. AI assistants like Copilot are designed to access and synthesize user context — that’s what makes them useful. But that same power turns them into a ready‑made data channel when an underlying rendering flaw is exploited.
Security researchers have warned about “prompt injection” attacks on AI since at least 2025, with incidents like EchoLeak and Reprompt demonstrating how assistants can be tricked into revealing information. This Excel vulnerability takes that threat out of the lab and into the mainstream, showing that even a simple web‑generation bug can have outsized impact when an autonomous agent is listening.
The critical rating from Microsoft reflects a dawning reality: the attack surface has expanded. The old playbook of patching remote code execution flaws and calling it a day is no longer sufficient. Information disclosure through AI agents can be just as damaging, and far harder to detect, because the malicious traffic rides on legitimate automation features.
How to Protect Yourself and Your Organization
Immediate steps for everyone
Update Office now. The simplest fix is to apply the March 2026 security updates. In any Office app (Word, Excel, PowerPoint), go to File > Account > Update Options > Update Now. Restart Excel afterward. The patch is cumulative, so it includes fixes for all prior vulnerabilities as well.
Turn off the preview pane. In Windows Explorer, go to View > Preview Pane to disable it. In Outlook, disable the reading pane for untrusted messages (View > Reading Pane > Off). This reduces the chance of accidentally triggering a malicious render.
For IT administrators
Deploy patches rapidly. Use Windows Server Update Services (WSUS), Microsoft Endpoint Configuration Manager, or Windows Update for Business. This vulnerability should be treated as a priority zero‑day.
Consider temporarily disabling Copilot Agent mode. If you can’t patch all endpoints immediately, use Group Policy or Microsoft 365 admin center to turn off Copilot’s agent features in Excel until the update is verified. This cuts off the exploitation path even if an unpatched machine previews a malicious file.
Harden network egress. Block or monitor outbound connections from Office applications to unexpected destinations. Configure your proxy or firewall to alert on any Excel.exe or Copilot.exe process reaching an external IP address that isn’t a known Microsoft telemetry endpoint.
Tune detection rules. Update your EDR/SIEM with rules that correlate file preview events with outbound HTTP(S). Look for:
- Excel processes making network requests within seconds of a file open or preview.
- Agent processes connecting to low‑reputation domains.
- Unusual data volumes from Office apps during idle times.
If you suspect compromise
- Isolate the affected machine from the network.
- Check proxy and firewall logs for outbound requests from Excel or Copilot processes to suspicious destinations over the last 90 days.
- Preserve the suspicious file and related logs for forensic analysis.
- Revoke any credentials or tokens that the agent might have accessed — Copilot can read API keys, connection strings, or other secrets stored in documents.
Microsoft has published no indicators of active exploitation, but the ease of crafting an attack means defenders should assume the worst and hunt proactively.
The Bigger Picture
CVE-2026-26144 is a crystal‑clear example of why every new AI capability must be paired with a hard look at legacy attack surfaces. Excel has rendered web content for years, and XSS bugs weren’t considered critical — until an AI agent with broad data access started listening to that same content. The fix Microsoft delivered this month is essential, but it’s a point solution.
Over the next year, expect more patches for XSS, prompt injection, and other input‑handling flaws across Office and Windows — precisely because the agent attack surface is so rich. Microsoft will likely need to redesign how Copilot handles rendered content, perhaps by sandboxing agent actions or requiring explicit user consent for external network requests.
For users and admins, the lesson is clear: patching alone isn’t enough. You need defense in depth — network egress controls, DLP policies that understand AI‑initiated actions, and continuous monitoring. The agent that makes you more productive can also betray you, unless you treat it like any other high‑privilege service and lock it down accordingly.