- Pro
- Security
There's more than one way to skin an Excel table
When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.
(Image credit: Microsoft)
- Copy link
- X
- Threads
Sign up for breaking news, reviews, opinion, top tech deals, and more.
Contact me with news and offers from other Future brands Receive email from us on behalf of our trusted partners or sponsors By submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.You are now subscribed
Your newsletter sign-up was successful
An account already exists for this email address, please log in. Subscribe to our newsletter- Microsoft's latest Patch Tuesday release fixes 83 flaws
- Including an Excel bug which enables AI-driven zero-click data theft
- Update urged to block exfiltration via Copilot assistant
The March 2026 Patch Tuesday release from Microsoft has fixed a high-severity vulnerability in Excel, which combines good old cross-site scripting (XSS) with indirect prompt injection for data exfiltration via Artificial Intelligence (AI).
Since AI gave an old vulnerability a new twist, some security researchers described it as “fascinating” - and it being a “zero-click” attack didn’t help, either.
In its security advisory, Microsoft described the bug as an “improper neutralization of input” vulnerability which happens during web page generation, allowing unauthorized attackers to disclose information over a network. It is now tracked as CVE-2026-26144 and was given a severity score of 7.5/10 (high).
Article continues below You may like-
Worrying Microsoft Office security flaw patched - update now or risk hackers accessing your files
-
Microsoft patches concerning Windows 11 Notepad security flaw - Markdown issues could have let hackers slip in malware without warning
-
Microsoft Copilot AI attack took just a single click to compromise users - here's what we know
Patches and workarounds
The bug revolves around Excel improperly neutralizing input. Usually, when a threat actor sends an Excel file containing a malicious link or similar, the program should neutralize that input by removing the link or deleting malicious content. However, since the program doesn’t do it properly, the input can get executed even if the victim doesn’t actually open the file, but rather just views it in the preview pane.
Now, we add AI to the mix. Newer versions of Excel come with Microsoft’s GenAI assistant, Copilot. If the malicious input tells the AI to exfiltrate sensitive data to a third-party server, and Excel doesn’t neutralize it on time, the task can get executed even from the preview pane.
The best way to go about it is to simply deploy the update. However, if you can’t do that immediately, you could restrict outbound traffic from Office applications and keep a close eye on network requests from Excel processes. Disabling Copilot Agent could help, as well.
While this bug grabbed all the headlines, it’s not the only one being addressed in this month’s patch. In fact, Microsoft cleaned up a total of 83 vulnerabilities, including eight that the software-maker deemed critical.
Are you a pro? Subscribe to our newsletterContact me with news and offers from other Future brandsReceive email from us on behalf of our trusted partners or sponsorsBy submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.Via The Register
The best antivirus for all budgetsOur top picks, based on real-world testing and comparisons➡️ Read our full guide to the best antivirus1. Best overall:Bitdefender Total Security2. Best for families:Norton 360 with LifeLock3. Best for mobile:McAfee Mobile Security
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
TOPICS Microsoft Sead FadilpašićSocial Links NavigationSead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.
View MoreYou must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.
Logout Read more
Worrying Microsoft Office security flaw patched - update now or risk hackers accessing your files
Microsoft patches concerning Windows 11 Notepad security flaw - Markdown issues could have let hackers slip in malware without warning
Microsoft Copilot AI attack took just a single click to compromise users - here's what we know
Russian hackers are targeting a new Office 365 zero-day, so patch now or face attack
'The attack requires no exploit, no user clicks, and no explicit request for
sensitive actions': Experts say Perplexity's AI Comet browser can be hijacked to steal your passwords
Microsoft admits an Office bug exposed confidential user emails to Copilot
Latest in Security
Hackers hijack WordPress sites to spread malware using fake CAPTCHA
HPE warns of dangerous security flaw which could allow Aruba OS password resets
Asus routers hijacked to power dangerous cybercrime proxy network - here's what we know
Russian hackers target HR departments with vicious new 'BlackSanta' malware
‘These actions are unprecedented and unlawful’: Anthropic sues Pentagon over “supply chain risk” designation — claims free speech and due process violations
Watch out Microsoft Teams users - hackers are spreading a dangerous new phishing scam, here's what we know
Latest in News
Quordle hints and answers for Thursday, March 12 (game #1508)
NYT Strands hints and answers for Thursday, March 12 (game #739)
NYT Connections hints and answers for Thursday, March 12 (game #1005)
Intel's new Core Ultra 200S Plus CPUs promise a big boost for PC gamers
How to watch Sunny Nights on TVNZ+ (it's *FREE*)
Why does the MacBook Air M5 keyboard look different? Blame your iPhone
LATEST ARTICLES- 1Meta’s Moltbook deal means social media will fill with even more bots talking to each other
- 2Nintendo Virtual Boy review: don’t buy this awful Nintendo Switch 2 add-on
- 3OpenAI reportedly building a GitHub alternative after saying Microsoft-owned platform is 'not yet meeting our expectations'
- 4Burson's Stellar headphone amps promise head-fi heaven in spacecraft-inspired Star Wars style
- 5'Creating a fully keyboard-accessible site...isn’t free; it requires a lot of work and knowledge': Microsoft is making it easier to build complex websites without a mouse