Excel vulnerability weaponizes Copilot — patch now

Microsoft patched CVE-2026-26144 on March 10 — an XSS vulnerability in Excel that allows malicious code embedded in a workbook to activate Copilot Agent mode and send data to an external server. No user interaction required beyond opening or previewing the file.

This is not a theoretical attack. The mechanism works like this: an attacker embeds an XSS payload in an Excel file. When the file is opened — or just previewed — Copilot Agent is triggered to make a network call with data from the workbook. Financial reports, customer lists, budgets. Everything in the file.

Why this matters for SMBs on M365

Most M365 Business Premium customers have Copilot enabled. Many have it configured with agent capabilities that include outbound network access. That means a single malicious Excel file, sent as an attachment or shared via SharePoint, can cause data leakage.

The risk is highest for organizations that:

• Have Copilot Agent mode enabled with outbound network access
• Have not yet deployed the March 2026 Patch Tuesday updates
• Handle sensitive financial data in Excel (i.e. everyone)

What you should do now

Step one: verify that the March security updates are installed on all devices. Check Intune device compliance. If you see devices that haven't reported in since March 10 — follow up.

Step two: review your Copilot Agent configuration. Does Copilot actually need to make outbound network calls? For most SMB customers, the answer is no. Disable agent network egress if it's not actively used.

Step three: remind users not to open unknown Excel files from external senders without verifying the source.

How HaggeBurger can help

We offer a 2-hour quick check where we verify patch status and Copilot configuration in your M365 environment. For a more thorough review of your overall Office security, we do a half-day assessment.

Want us to check your environment? Get in touch.

---

References: Microsoft MSRC — CVE-2026-26144, BleepingComputer — March 2026 Patch Tuesday