Copilot as attack vector — Excel flaw enables zero-click data exfiltration

In the March 2026 Patch Tuesday, Microsoft fixed an XSS vulnerability in Excel (CVE-2026-26144, CVSS 7.5) that opens an entirely new category of attack. An attacker can craft an Excel document that, when opened with Copilot Agent mode active, causes the AI assistant to send sensitive data to an external server. Without the user clicking anything.

A new attack surface

We have discussed AI risks in theory for a while. This is the practice. The vulnerability combines a classic XSS flaw with Copilot's ability to act autonomously — and the result is that your AI assistant becomes an unwitting insider threat.

The attack requires the victim to open a malicious Excel document in an environment where Copilot Agent mode is enabled. No further interaction needed. Copilot executes the instructions in the document as if they were legitimate.

Who is affected?

All M365 customers with Copilot licenses and Agent mode enabled. Many organizations rolled out Copilot fast without thinking through the security implications. This vulnerability shows why a deliberate policy is needed.

What you should do

Step one: verify the March patch is installed on all devices via Intune. This fixes the specific CVE-2026-26144 flaw.

Step two: review your Copilot deployment. Does everyone need Agent mode? If not — restrict it to users with a clear business need. Configure policies in Microsoft 365 Admin Center to control access.

Step three: include AI assistants in your threat model. This will not be the last time we see this type of attack.

How HaggeBurger can help

We offer a Copilot Security Assessment where we review your Copilot configuration, Agent mode policies, and data protection risks. A half-day assessment that gives you a clear picture of your exposure.

Want us to review your Copilot settings? Get in touch.