Full Report
Could steal sensitive personal and financial data After a whopper of a Patch Tuesday last month, with six Microsoft flaws exploited as zero-days, March didn't exactly roar in like a lion. Just two of the 83 Microsoft CVEs released on Tuesday are listed as publicly known, and none is under active exploitation, which we're sure is a welcome change to sysadmins.…
Analysis Summary
# Vulnerability: Zero-Click Information Disclosure in Microsoft Excel (Copilot Agent Weaponization)
## CVE Details
- **CVE ID:** CVE-2026-26144
- **CVSS Score:** Critical (Specific numerical score not provided in text, but categorized as "Critical" by Microsoft)
- **CWE:** Cross-Site Scripting (XSS) / Logic Flaw leading to Data Exfiltration
## Affected Systems
- **Products:** Microsoft Excel
- **Versions:** March 2026 release cycle (Specific version numbers not listed, applies to versions supporting Copilot Integration)
- **Configurations:** Systems with **Copilot Agent** enabled within Microsoft Excel.
## Vulnerability Description
CVE-2026-26144 is a cross-site scripting (XSS) vulnerability that specifically targets the integration between Microsoft Excel and the Copilot Agent. The flaw allows an attacker to "weaponize" a spreadsheet so that when the file is processed, it causes the Copilot Agent mode to exfiltrate sensitive data via unintended network egress. Unlike traditional XSS, this is described as a **zero-click** attack, meaning the data theft can occur silently without the user interacting with the malicious content or clicking links.
## Exploitation
- **Status:** Not exploited in the wild (as of March 10, 2026); no PoC currently mentioned.
- **Complexity:** Low (Requires no user interaction or privilege escalation).
- **Attack Vector:** Network (Requires network access to facilitate data exfiltration).
## Impact
- **Confidentiality:** **High** (Targeted at stealing sensitive personal, financial, and corporate data).
- **Integrity:** Low/None (Primary impact is disclosure).
- **Availability:** Low/None.
## Remediation
### Patches
- **Microsoft March 2026 Security Update:** Users should apply the latest security patches for Microsoft Office and Excel immediately. Refer to the MSRC Update Guide: hxxps://msrc[.]microsoft[.]com/update-guide/vulnerability/CVE-2026-26144
### Workarounds
- **Network Restrictions:** Restrict outbound network traffic originating from Office applications to prevent exfiltration to untrusted domains.
- **Feature Management:** Disable or limit the use of Copilot Agent in Excel until the security patch is applied.
- **Security Monitoring:** Monitor for unusual network requests generated by `excel.exe` processes.
## Detection
- **Indicators of Compromise:** Unusual DNS queries or outbound HTTP/HTTPS traffic from Excel processes to unknown or external endpoints.
- **Detection Methods:**
- Use EDR/Next-Gen Antivirus to monitor "unintended network egress" from Office binaries.
- Audit logs for the activation of Copilot Agent on documents arriving from external or untrusted sources.
## References
- **Microsoft Security Response Center (MSRC):** hxxps://msrc[.]microsoft[.]com/update-guide/releaseNote/2026-Mar
- **Zero Day Initiative (ZDI) Analysis:** hxxps://www[.]zerodayinitiative[.]com/blog/2026/3/10/the-march-2026-security-update-review
- **Original Report:** hxxps://www[.]theregister[.]com/2026/03/10/microsoft_excel_copilot_vulnerability/