In This Article
Microsoft's March 10 Patch Tuesday fixed 79 vulnerabilities. One of them changes how we think about AI security. CVE-2026-26144 is a critical Excel flaw that turns Copilot into a data exfiltration tool. No clicks required.
The vulnerability is technically an XSS bug, a class of flaw that security teams have patched for decades. What makes this one different is the middleman. Instead of tricking a human into clicking a malicious link, attackers can coerce Microsoft's Copilot Agent into reading a poisoned spreadsheet and shipping the contents to an external server. The user never opens the file. The user never clicks anything. Copilot does the work for the attacker.
For credit unions, community banks, and mortgage companies running Copilot on tenants full of loan data, borrower records, and financial models, this isn't a theoretical risk. It's a patch-now situation.
A loan officer receives a shared Excel workbook through OneDrive. The workbook contains hidden cells with a crafted XSS payload. Copilot Agent begins a background analysis to generate a summary.
The payload overrides Copilot's safety guardrails and instructs the agent to package the spreadsheet's contents into an outbound HTTP request. Borrower names, SSNs, loan amounts, and account numbers reach an attacker-controlled server before anyone opens the file.
What CVE-2026-26144 Actually Does
At its core, CVE-2026-26144 is a cross-site scripting vulnerability (CWE-79) in Microsoft Excel's input handling. Excel fails to properly neutralize certain content embedded in spreadsheet data, allowing attacker-controlled markup to execute in the rendering context.
In a traditional environment, this type of bug would require a user to interact with the malicious content. But Microsoft's Copilot Agent changes the equation. When Copilot's agent mode processes a workbook to provide summaries or insights, it reads the poisoned cells. The crafted payload then instructs the agent to make outbound network calls, sending sensitive data to an external endpoint.
| Field | Detail |
|---|---|
| CVE ID | CVE-2026-26144 |
| Product | Microsoft Office Excel |
| Type | Information Disclosure (XSS / CWE-79) |
| Severity | Critical |
| CVSS Score | 7.5 (Network / No User Interaction) |
| Exploited in Wild | No (at disclosure) |
| Patch Available | Yes (March 10, 2026 Patch Tuesday) |
| Attack Vector | Crafted Excel workbook + Copilot Agent |
Microsoft confirmed that the vulnerability "could potentially cause Copilot Agent mode to exfiltrate data via unintended network egress, enabling a zero-click information disclosure attack." The company classified it as Critical despite the 7.5 CVSS score because of the zero-click exfiltration mechanism.
Dustin Childs at the Zero Day Initiative called it "an attack scenario we're likely to see more often." He's right. As AI agents gain more autonomy inside productivity tools, every unpatched input validation flaw becomes a potential exfiltration channel.
The Attack Chain: Old Bug, New Weapon
The attack works because of a fundamental tension in agentic AI design. Copilot Agent needs broad permissions to be useful. It reads documents, connects to external services, and takes actions on behalf of users. Those same permissions become attack surface when the agent processes untrusted input.
What Changed in 2026
XSS vulnerabilities in Office products are nothing new. Microsoft has patched hundreds of them over two decades. What's new is the intermediary. Before Copilot Agent, an XSS bug in Excel required a human to trigger it. Now the AI agent triggers it automatically, and the agent has network access that a static spreadsheet never had.
Here's how the attack chain works in practice. An attacker crafts an Excel workbook with hidden cells containing a prompt injection payload. The workbook arrives through email, OneDrive sharing, or SharePoint. Copilot Agent processes the file in the background as part of its autonomous analysis. The XSS payload executes in the rendering context and places instructions the agent can interpret. Copilot then packages sensitive cell data into outbound HTTP requests to an attacker-controlled endpoint.
The traffic looks legitimate because it originates from a trusted Microsoft process. Traditional EDR and web application firewalls aren't built to flag outbound connections from Copilot. Alex Vovk, CEO of Action1, told The Register that "attackers could silently extract confidential information from internal systems without triggering obvious alerts."
This is exactly the type of agentic AI risk that OWASP flagged in their Top 10 for AI agents. Indirect prompt injection, where malicious content in a document manipulates an AI agent's behavior, is one of the top-ranked threats in OWASP's guidance for AI applications. CVE-2026-26144 is that threat in the real world.
According to Microsoft's Data Security Index 2024, 84% of security leaders want more confidence managing data inside AI applications. The same research shows 80% of leaders cite data leakage as their primary GenAI concern. CVE-2026-26144 validates both fears: an AI agent designed for productivity became the exfiltration vector.
The vulnerability also connects directly to Gartner's recent warning about five Copilot security risks facing financial institutions. Several of Gartner's identified risks center on uncontrolled data access and agent autonomy. CVE-2026-26144 validates those concerns with a real-world exploit.
Why Financial Institutions Face Higher Risk
Not every organization faces the same exposure from CVE-2026-26144. Financial institutions carry disproportionate risk for three reasons.
First, the data is high-value. Excel workbooks at credit unions, community banks, and mortgage companies contain borrower PII, loan pricing models, financial projections, and examination preparation data. A breach of any of these triggers regulatory notification requirements under GLBA, state breach laws, and potentially CFPB enforcement.
Second, Copilot adoption is accelerating. Microsoft's own data shows that Copilot's newest features like Cowork give agents increasing autonomy over document processing. Financial institutions deploying Copilot without governance guardrails have broader attack surface than organizations that haven't adopted AI tools yet.
Third, many institutions deployed Copilot before configuring Purview DLP policies or restricting agent network access. The gap between deployment and governance is where CVE-2026-26144 lives.
Ungoverned Copilot Deployment
- Copilot Agent reads all files the user can access
- No DLP policies restrict what data Copilot can process
- Outbound network access from Office processes is unrestricted
- No monitoring for unusual agent-initiated network requests
- Sensitivity labels not applied to financial workbooks
Governed Copilot Deployment (ABT Guardian)
- Purview sensitivity labels restrict Copilot access to classified data
- DLP policies block AI processing of SSNs, account numbers, loan data
- Egress filtering limits outbound connections from Office processes
- Guardian monitoring surfaces tenant security drift and anomalous sign-in patterns
- Conditional Access policies enforce device compliance before Copilot access
The comparison isn't theoretical. Institutions that configured Purview sensitivity labels before enabling Copilot have a structural defense against this vulnerability. Copilot can't exfiltrate data it can't read. Institutions that skipped governance and went straight to deployment are relying entirely on Microsoft's patch to close the gap.
This is the same pattern we've seen with recent attacks targeting Microsoft 365 environments. The vulnerability matters, but the governance posture determines the actual impact.
Four Steps to Protect Your Institution Now
Patching is step one, but it's not the only step. CVE-2026-26144 exposed a broader architectural gap in how most institutions run Copilot. Closing the vulnerability and closing the gap require different actions.
Apply March 2026 cumulative update to all Excel and Office installations immediately
Configure egress filtering on Office processes and disable Copilot autonomous analysis for external files
Apply Purview sensitivity labels to financial workbooks so Copilot can't process unclassified sensitive data
Watch for unusual outbound connections from Office processes using Defender or Sentinel
Step 1: Patch immediately. Microsoft released the fix on March 10, 2026 as part of the monthly security update. This closes the specific XSS vulnerability that enables the Copilot exfiltration. Every day you delay patching is a day the vulnerability is exploitable.
Step 2: Restrict Copilot's network access. Even after patching, the architectural lesson matters. Office processes, including Copilot, should not have unrestricted outbound network access. Configure host-level firewall rules or web proxy policies to limit which external domains Excel and Copilot can reach. If your institution can't patch immediately, Action1 recommends disabling Copilot Agent mode for high-risk user groups (finance, legal, executive) until the update is validated.
Step 3: Classify your sensitive data. Purview sensitivity labels are the structural defense against AI-enabled data leakage. When financial workbooks carrying borrower data are labeled "Highly Confidential," Copilot respects those labels and restricts what it can do with the content. Institutions that haven't deployed sensitivity labels should treat this as an urgent project.
Step 4: Monitor for agent-initiated exfiltration. Even with patches applied, you need visibility into what Copilot is doing. Security researchers report that Microsoft's fix hardens the agent sandbox to restrict how Copilot handles unvetted data sources. But defense in depth means monitoring too. Use Defender for Endpoint or Azure Sentinel to flag unusual outbound connections from Office processes, especially connections to unfamiliar external endpoints.
Key Takeaway
CVE-2026-26144 is patched, but the underlying problem isn't. Every AI agent with document access and network permissions is a potential exfiltration vector. The fix isn't just patching one CVE. It's governing every AI agent in your environment before the next one drops.
Frequently Asked Questions
CVE-2026-26144 is a critical information disclosure vulnerability in Microsoft Excel, disclosed on March 10, 2026. It's a cross-site scripting (XSS) flaw that allows attackers to coerce Microsoft's Copilot Agent into exfiltrating spreadsheet data to an external server without any user interaction.
An attacker embeds a crafted XSS payload in hidden Excel cells. When Copilot Agent processes the workbook for background analysis or summaries, the payload manipulates the agent into making outbound HTTP requests containing the spreadsheet's sensitive data. The user never needs to open or interact with the file.
As of March 10, 2026, Microsoft reported no evidence of active exploitation. However, the Zero Day Initiative and multiple security researchers have described the attack technique in detail, which means proof-of-concept development is likely. Financial institutions should patch before exploitation begins.
The vulnerability exists in Microsoft Excel's input handling, so it affects any unpatched Excel installation. However, the zero-click exfiltration component specifically requires Copilot Agent to be enabled and configured for autonomous document analysis. Organizations without Copilot face the XSS risk but not the automated data exfiltration.
Apply the March 2026 cumulative update to all Office and Excel installations immediately. If patching requires a maintenance window, disable Copilot Agent mode for high-risk user groups (finance, legal, executive) as an interim measure. Then prioritize deploying Purview sensitivity labels on financial workbooks to add a structural defense layer against future AI-enabled data leakage.
Disabling Copilot Agent mode prevents the zero-click exfiltration component but does not fix the underlying XSS vulnerability in Excel. Patching is the only complete fix. Disabling Copilot is an interim mitigation for institutions that need time to test and deploy the update.
Is Your Copilot Deployment Governed or Exposed?
CVE-2026-26144 proved that ungoverned AI agents are a data exfiltration risk. ABT's security assessment identifies Copilot configuration gaps, missing sensitivity labels, and unmonitored agent access across your tenant.
