This 'fascinating' Microsoft Excel security flaw teams up spreadsheets and Copilot Agent to steal data

News
By published

There's more than one way to skin an Excel table

Someone using Excel on a Laptop.
(Image credit: Microsoft)
  • Microsoft's latest Patch Tuesday release fixes 83 flaws
  • Including an Excel bug which enables AI-driven zero-click data theft
  • Update urged to block exfiltration via Copilot assistant

The March 2026 Patch Tuesday release from Microsoft has fixed a high-severity vulnerability in Excel, which combines good old cross-site scripting (XSS) with indirect prompt injection for data exfiltration via Artificial Intelligence (AI).

Since AI gave an old vulnerability a new twist, some security researchers described it as “fascinating” - and it being a “zero-click” attack didn’t help, either.

In its security advisory, Microsoft described the bug as an “improper neutralization of input” vulnerability which happens during web page generation, allowing unauthorized attackers to disclose information over a network. It is now tracked as CVE-2026-26144 and was given a severity score of 7.5/10 (high).

Article continues below

Patches and workarounds

The bug revolves around Excel improperly neutralizing input. Usually, when a threat actor sends an Excel file containing a malicious link or similar, the program should neutralize that input by removing the link or deleting malicious content. However, since the program doesn’t do it properly, the input can get executed even if the victim doesn’t actually open the file, but rather just views it in the preview pane.

Now, we add AI to the mix. Newer versions of Excel come with Microsoft’s GenAI assistant, Copilot. If the malicious input tells the AI to exfiltrate sensitive data to a third-party server, and Excel doesn’t neutralize it on time, the task can get executed even from the preview pane.

The best way to go about it is to simply deploy the update. However, if you can’t do that immediately, you could restrict outbound traffic from Office applications and keep a close eye on network requests from Excel processes. Disabling Copilot Agent could help, as well.

While this bug grabbed all the headlines, it’s not the only one being addressed in this month’s patch. In fact, Microsoft cleaned up a total of 83 vulnerabilities, including eight that the software-maker deemed critical.

Via The Register

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.