• Facebook
• LinkedIn
• Reddit
• WhatsApp
• X
• ShareCopied to clipboard

---

The security community has long warned that the “Agentic AI” revolution would bring a new class of vulnerabilities. This week, we saw the first major realisation of those fears.

As part of the March 2026 Patch Tuesday, Microsoft disclosed a critical flaw (tracked as CVE-2026-26144) that transforms a standard Excel spreadsheet into a silent data-exfiltration tool. What makes this bug different isn’t just the technical exploit, but the “middleman” used to carry it out: Microsoft Copilot.

The Technical Breakdown: XSS Meets AI

At its core, CVE-2026-26144 is a Cross-Site Scripting (XSS) vulnerability within Microsoft Excel. In a traditional scenario, an XSS bug in a productivity app might require a user to click a malicious link or run a macro.

However, in the era of integrated AI, the “user” isn’t always human.

The Attack Chain:

1. The Bait: An attacker sends a specially crafted Excel workbook.
2. The Trigger: The victim doesn’t even need to open the file. If the file is processed by the Copilot Agent (for instance, to provide a summary in the preview pane or as part of an automated workflow), the malicious input is triggered.
3. The Exfiltration: The exploit “coerces” the Copilot Agent—which has legitimate network privileges—to send the workbook’s sensitive data to an external, attacker-controlled server.

Because the AI agent is the one making the network request, it bypasses many traditional “zero-click” protections that look for unauthorized script execution by the user.

Why This is a “Zero-Click” Nightmare

Most modern security training teaches employees not to “Enable Macros” or “Click Links.” But CVE-2026-26144 is a zero-click information disclosure. The mere act of the system indexing or summarizing the file can be enough to trigger the data leak.

For organizations that have leaned heavily into Copilot for automated document processing and “AI-first” productivity, this represents a significant expansion of the attack surface.

System Plus Analysis: The Hidden Risk of “Agentic” Privilege

This bug highlights a growing friction in IT infrastructure: Agent Privilege. We grant AI agents the ability to read our files, summarize our emails, and access the web so they can be useful. But as CVE-2026-26144 proves, if the AI isn’t properly isolated from “un-neutralized” input, it becomes a high-privileged proxy for attackers.

Immediate Action Plan for IT Managers

If you haven’t yet deployed the March 2026 security updates, your data is at risk. We recommend the following immediate steps:

• Priority Patching: Treat CVE-2026-26144 as a “Critical” priority, especially for users in Finance, HR, or Legal who handle sensitive workbooks.
• Egress Filtering: Implement strict host-level firewall rules. Microsoft Office processes (including Excel) should generally not be initiating outbound connections to unknown external IP addresses.
• Audit Copilot Activity: Monitor for anomalous network requests originating from Office “Agent” services. Look for high-frequency DNS queries to non-standard domains.
• Disable Previews (Temporary): If you cannot patch immediately, consider disabling the “Preview Pane” in Outlook and File Explorer via Group Policy to prevent the AI from automatically “reading” the malicious files.

The Bottom Line

The “Excel-to-Copilot” exploit is a wake-up call. We are moving away from an era where “don’t click” was enough. In 2026, the security of our data depends on the boundaries we set for the AI agents working on our behalf.

Stay Secure. For assistance with automated patch management or AI security auditing, contact System Plus.