Microsoft's March 2026 Patch Tuesday disclosed CVE-2026-26144, an information disclosure vulnerability in Excel caused by improper neutralization of input (XSS-class). The flaw enables an attacker to trigger unintended outbound network communication — silently exfiltrating spreadsheet contents — without requiring user interaction or elevated privileges.
The critical concern is how Copilot Agent mode amplifies the impact: when Excel's AI automation is active, the exfiltration can occur through automated agent-driven processing, with no visible user action and no standard DLP signal. An attacker delivers a specially crafted Excel file; Copilot Agent processes it; sensitive data leaves the environment silently.
Blast radius is substantial across enterprise environments where Excel is used for financial, operational, or IP-sensitive workflows and Copilot Agent mode is enabled. The CVSS score of 7.5 understates operational severity because the AI automation layer eliminates the detection signals that normally allow SOC teams to intervene.
Immediate recommendation: Apply March 2026 Patch Tuesday updates. If patching is delayed, disable Copilot Agent mode in Excel and restrict outbound network traffic from Office applications until patched.