Critical Microsoft Excel bug weaponizes Copilot Agent for zero-click information disclosure attack

After a whopper of a Patch Tuesday last month, with six Microsoft flaws exploited as zero-days, March didn't exactly roar in like a lion. Just two of the 83 Microsoft CVEs released on Tuesday are listed as publicly known, and none is under active exploitation, which we're sure is a welcome change to sysadmins.

Another eight of the 83 Microsoft CVEs are considered critical, and one of these - to quote Zero Day Initiative chief bug hunter Dustin Childs - is "fascinating." Plus, it's got an AI-attack component, so we're going to start with it.

CVE-2026-26144 is a critical-severity information disclosure vulnerability in Microsoft Excel. This cross-site scripting flaw can be exploited to "cause Copilot Agent mode to exfiltrate data via unintended network egress, enabling a zero-click information disclosure attack," Redmond warned. 

Yes, you read that right: a zero-click bug that weaponizes an Excel spreadsheet and the Copilot ...