Excel vulnerability lets Copilot silently leak your data
CVE-2026-26144 enables attackers to weaponize Copilot Agent for zero-click data exfiltration from Excel. Patch now.
Microsoft patched CVE-2026-26144 in the March Patch Tuesday release. It's an XSS vulnerability in Excel that allows an attacker to weaponize Copilot Agent mode for data exfiltration — with zero user interaction required.
A specially crafted Excel workbook can trigger Copilot to send sensitive data to an external server. No popup, no warning, no click needed.
Why this matters
Microsoft rated CVE-2026-26144 as Critical despite a CVSS score of 7.5. The reason: the attack surface. Copilot Agent is designed to read, summarize, and act on document content automatically. When that automation gets hijacked, the AI assistant becomes a data exfiltration tool.
For SMB organizations running M365 Business Premium with Copilot enabled, the risk is real. Think finance teams working with sensitive numbers in Excel — exactly the kind of data attackers want.
What you should do
Three steps, in order:
- Verify March patches are installed. Check in Intune or Microsoft 365 admin center that
M365 Appsare updated to the latest version. - Review Copilot Agent settings. If you're not actively using Agent mode in Excel — disable it until the patch is verified.
- Monitor outbound network traffic from Office processes. Unusual connections from
excel.exeshould be flagged.
How HaggeBurger can help
We offer a quick patch verification (1-2 hours) where we confirm all endpoints have the correct updates. For those wanting a deeper review, we have a Copilot security package covering Agent permissions, data access policies, and governance.
Want us to check your environment? Get in touch.