Tech Bytes
Security

CVE-2026-26144: Zero-Click Data Exfiltration in Excel Copilot

Dillip Chowdary

Mar 14, 2026

A critical vulnerability in Microsoft Excel's AI integration has been disclosed, allowing attackers to exfiltrate entire spreadsheets without a single user interaction.

Dubbed **CVE-2026-26144**, the flaw resides in how the **Copilot for Excel** service handles remote data fetching and prompt injection. By embedding a specially crafted hidden metadata tag within a shared workbook, an attacker can trick the Copilot agent into summarizing the entire sheet and "reporting" the results to an external, attacker-controlled URL via a web-hook bypass.

The Technical Exploit: Indirect Prompt Injection

The attack utilizes **Indirect Prompt Injection**. When a user opens a workbook containing the malicious payload, Copilot automatically parses the sheet to "provide initial insights." The payload is written in a way that overrides the agent's system instructions, compelling it to execute a `fetch()` request to an external domain with the sheet's content encoded in the query parameters.

Why "Zero-Click" Matters

Unlike traditional Excel macros, which require the user to "Enable Content," the Copilot agent runs by default in many enterprise environments. The exfiltration happens in the background as soon as the file preview is generated in **OneDrive** or **SharePoint**, making this a particularly dangerous threat for financial institutions and legal firms that rely on cloud collaboration.

CVE-2026-26144 Breakdown:

  • Impact: Critical (CVSS 9.1)
  • Vector: Network (Shared Workbook)
  • Mitigation: Install March 14 Cumulative Update
  • Workaround: Disable "Connected Experiences" in Office Privacy settings

Microsoft's Response

Microsoft has moved with uncharacteristic speed, releasing an out-of-band emergency patch alongside today's scheduled **Patch Tuesday** updates. The fix introduces a new **Agentic Sandbox** that restricts Copilot's ability to make outbound network calls unless specifically authorized via a new "Trusted Domain" policy in the Entra ID (formerly Azure AD) admin center.

Conclusion: The AI Attack Surface

CVE-2026-26144 is a stark reminder that as we integrate AI deeper into our productivity tools, we are expanding the attack surface in ways that traditional EDR (Endpoint Detection and Response) tools are not yet equipped to handle. Organizations must prioritize **AI Governance** and move toward a "Zero Trust" model for agentic permissions before the next generation of AI-discovered zero-days arrives.

Secure Your Stack

Get real-time alerts on AI vulnerabilities and security patches before they hit the headlines.