Microsoft — Excel XSS chains to Copilot Agent for clickless data exfiltration (CVE-2026-26144)
AI relevance: a traditional XSS in Excel executes on file open and chains to Copilot Agent, turning a local content-injection bug into autonomous, clickless data exfiltration — proving that AI assistants amplify the blast radius of every app-level vulnerability.
What happened
- Microsoft patched CVE-2026-26144, a cross-site scripting vulnerability in Excel that triggers when a user opens a malicious spreadsheet — no click needed beyond file open.
- The injected script executes within Excel's trusted context and calls into the Copilot Agent integration, using the agent's authenticated session and file-system access.
- The agent silently sends spreadsheet contents to an attacker-controlled endpoint, bypassing standard DLP controls because the outbound request originates from the AI agent's own network context.
- Organizations that enabled Copilot for Microsoft 365 without tightening egress policies or agent-scoped monitoring are exposed even with up-to-date patches until the update is deployed.
- The attack demonstrates privilege amplification: an XSS that would normally be rated moderate becomes critical when the compromised application has an AI agent running with broader access than the user session alone.
Why it matters
This is the first documented case of a traditional client-side vulnerability chaining to an AI agent for autonomous data theft. As Copilot and similar assistants are embedded across Office apps, every XSS, macro flaw, or document parser bug becomes a potential agent-abuse vector. The industry's vulnerability scoring systems don't yet account for AI-amplified privilege escalation.
What to do
- Deploy the April 2026 Microsoft patch for CVE-2026-26144 immediately.
- Block outbound traffic from Office applications to unclassified endpoints using application-level firewall rules.
- Separate AI-agent-initiated network activity in your monitoring stack and DLP policies — treat agent-originated requests as a distinct trust domain.
- Audit Copilot Agent permissions and scope: restrict which files, data sources, and external endpoints agents can access.
- Reprioritize vulnerability management for AI-enabled applications — a "moderate" XSS in a Copilot-connected app may warrant critical-level response.