Security 1 Critical Microsoft Excel bug weaponizes Copilot Agent for zero-click information disclosure attack 1 Could steal sensitive personal and financial data Jessica Lyons Tue 10 Mar 2026 // 20:35 UTC After a whopper of a Patch Tuesday last month , with six Microsoft flaws exploited as zero-days, March didn't exactly roar in like a lion. Just two of the 83 Microsoft CVEs released on Tuesday are listed as publicly known, and none is under active exploitation, which we're sure is a welcome change to sysadmins. Another eight of the 83 Microsoft CVEs are considered critical, and one of these - to quote Zero Day Initiative chief bug hunter Dustin Childs - is "fascinating." Plus, it's got an AI-attack component , so we're going to start with it. CVE-2026-26144 is a critical-severity information disclosure vulnerability in Microsoft Excel. This cross-site scripting flaw can be exploited to "cause Copilot Agent mode to exfiltrate data via unintended network egress, enabling a zero-click information disclosure attack," Redmond warned. Yes, you read that right: a zero-click bug that weaponizes an Excel spreadsheet and the Copilot Agent to steal data. As Childs notes , it's "an attack scenario we're likely to see more often." This bug requires network access to exploit, but no user interaction or privilege escalation. "Information disclosure vulnerabilities are especially dangerous in corporate environments where Excel files often contain financial data, intellectual property, or operational records," Action1 CEO and co-founder Alex Vovk told The Register . "If exploited, attackers could silently extract confidential information from internal systems without triggering obvious alerts." Patch this one sooner, and if you must delay patch deployment, Vovk suggests restricting outbound network traffic from Office applications, monitoring unusual network requests generated by Excel processes, and disabling or limiting Copilot Agent until applying the fix. Two known … but not under exploitation The two Microsoft bugs listed as publicly known, but not exploited at the time of disclosure include CVE-2026-26127 , an out-of-bounds read issue in .NET that allows an unauthorized attacker to deny service over a network. Despite it being publicly disclosed, Redmond deems "exploitation unlikely." Plus, CVE-2026-21262 , also publicly known, is due to improper access control in SQL Server that allows an authorized attacker to elevate privileges over a network. Microsoft said that this one is "less likely" to be exploited in the wild. Of the eight critical-rated CVEs, two - CVE-2026-26110 and CVE-2026-26113 - are Office remote code execution bugs that can be triggered via the Preview Pane, meaning a user may not need to fully open a malicious file for an attacker to exploit the system. Beware the Preview Pane "When a simple document preview can trigger code execution, attackers gain a doorway directly into the system," Jack Bicer, director of vulnerability research at Action1, told The Register . As Childs notes, these have become increasingly common over the last year. "It's just a matter of time until they start appearing in active exploits," he said. Crooks compromise WordPress sites to push infostealers via fake CAPTCHA prompts Fake job applications pack malware that kills EDR before stealing data AI vs AI: Agent hacked McKinsey's chatbot and gained full read-write access in just two hours Microsoft's Valentine's gift to admins: 6 exploited zero-day fixes CVE-2026-26110 is a type confusion flaw in Microsoft Office that allows a remote attacker to execute code locally. Type confusion occurs when an application accesses a resource using an incompatible data type, causing incorrect memory handling. CVE-2026-26113 is caused by an untrusted pointer dereference flaw in Microsoft Office, which also allows remote attackers to execute code locally. "The issue occurs when Microsoft Office improperly handles memory pointers, potentially allowing an attacker to manipulate how the application accesses memory," Bicer said. ® Share More about Microsoft Patch Tuesday Security More like these × More about Microsoft Patch Tuesday Security Narrower topics 2FA Active Directory Advanced persistent threat Application Delivery Controller Authentication Azure BEC Bing Black Hat BSides BSoD Bug Bounty Center for Internet Security CHERI CISO Common Vulnerability Scoring System Cybercrime Cybersecurity Cybersecurity and Infrastructure Security Agency Cybersecurity Information Sharing Act Data Breach Data Protection Data Theft DDoS DEF CON Digital certificate Encryption End Point Protection Excel Exchange Server Exploit Firewall Google Project Zero Hacker Hacking Hacktivism HoloLens Identity Theft Incident response Infosec Infrastructure Security Internet Explorer Kenna Security LinkedIn Microsoft 365 Microsoft Build Microsoft Edge Microsoft Fabric Microsoft Ignite Microsoft Office Microsoft Surface Microsoft Teams NCSAM NCSC .NET Office 365 OS/2 Outlook Palo Alto Networks Password Personally Identifiable Information Phishing Pluton Quantum key distribution Ransomware Remote Access Trojan REvil RSA Conference SharePoint Skype Software Bill of Materials Spamming Spyware SQL Server Surveillance TLS Trojan Trusted Platform Module Visual Studio Visual Studio Code Vulnerability Wannacry Windows Windows 10 Windows 11 Windows 7 Windows 8 Windows Server Windows Server 2003 Windows Server 2008 Windows Server 2012 Windows Server 2013 Windows Server 2016 Windows Subsystem for Linux Windows XP Xbox Xbox 360 Zero trust Broader topics Bill Gates Patch Patch Management More about Share 1 COMMENTS More about Microsoft Patch Tuesday Security More like these × More about Microsoft Patch Tuesday Security Narrower topics 2FA Active Directory Advanced persistent threat Application Delivery Controller Authentication Azure BEC Bing Black Hat BSides BSoD Bug Bounty Center for Internet Security CHERI CISO Common Vulnerability Scoring System Cybercrime Cybersecurity Cybersecurity and Infrastructure Security Agency Cybersecurity Information Sharing Act Data Breach Data Protection Data Theft DDoS DEF CON Digital certificate Encryption End Point Protection Excel Exchange Server Exploit Firewall Google Project Zero Hacker Hacking Hacktivism HoloLens Identity Theft Incident response Infosec Infrastructure Security Internet Explorer Kenna Security LinkedIn Microsoft 365 Microsoft Build Microsoft Edge Microsoft Fabric Microsoft Ignite Microsoft Office Microsoft Surface Microsoft Teams NCSAM NCSC .NET Office 365 OS/2 Outlook Palo Alto Networks Password Personally Identifiable Information Phishing Pluton Quantum key distribution Ransomware Remote Access Trojan REvil RSA Conference SharePoint Skype Software Bill of Materials Spamming Spyware SQL Server Surveillance TLS Trojan Trusted Platform Module Visual Studio Visual Studio Code Vulnerability Wannacry Windows Windows 10 Windows 11 Windows 7 Windows 8 Windows Server Windows Server 2003 Windows Server 2008 Windows Server 2012 Windows Server 2013 Windows Server 2016 Windows Subsystem for Linux Windows XP Xbox Xbox 360 Zero trust Broader topics Bill Gates Patch Patch Management TIP US OFF Send us news