Cybersecurity March 17, 2026

[Security] Microsoft Patch Tuesday: Weaponizing the AI Copilot via Excel

Dillip Chowdary

Dillip Chowdary

8 min read • Threat Analysis

The March 2026 Patch Tuesday update from Microsoft addresses 84 vulnerabilities, but one stands out as a "harbinger of the agentic threat": **CVE-2026-26144**, a zero-click data exfiltration flaw in Microsoft Excel's Copilot Agent.

CVE-2026-26144: The Indirect Prompt Injection

The vulnerability lies in how **Microsoft Copilot** parses unstructured data within Excel workbooks. An attacker can craft a malicious "formula" or hidden metadata that, when read by the Copilot agent, triggers a series of autonomous actions without user consent.

Because the agent has legitimate "read/write" access to the user's OneDrive and SharePoint environment, the exploit allows for **Zero-Click Data Exfiltration**. The agent is tricked into summarizing sensitive spreadsheet data and "emailing" it to an external domain under the guise of a routine task execution.

Why Traditional DLP Fails

Traditional **Data Loss Prevention (DLP)** systems are designed to flag "suspicious human behavior," such as a user suddenly downloading 1,000 files. However, when the actions are performed by an integrated AI agent like Copilot, the traffic appears as a legitimate "Internal Service Call."

"We are seeing the collapse of the traditional security perimeter," noted a researcher at Mandiant. "If the AI agent is the one moving the data, and the AI agent is trusted by default, then every prompt becomes a potential attack vector."

Critical Vulnerabilities Patched (Mar 2026)

  • - **CVE-2026-26127:** .NET Denial of Service (Publicly Disclosed).
  • - **CVE-2026-21262:** SQL Server Elevation of Privilege (High Severity).
  • - **CVE-2026-26144:** Excel/Copilot Data Exfiltration (Critical).
  • - **Qualcomm Zero-Day:** Actively exploited Android display flaw patched by Google.

Recommendation: Hardening Agentic Workflows

Beyond installing the March update, enterprises are urged to implement **"Human-in-the-Loop" (HITL)** gates for any agentic action that involves external networking. NVIDIA's recently announced **OpenShell** runtime provides a potential solution by sandboxing these agentic sessions in hardware-isolated enclaves.

The era of "set and forget" AI is over. Security teams must now treat AI agents as **privileged insiders** and apply the same zero-trust principles to autonomous code execution as they do to human administrators.