Microsoft Excel Bug Exploits Copilot Agent for Zero-Click Data Theft

Critical Excel Vulnerability Targets Copilot Users

Microsoft has disclosed a critical vulnerability in Excel that weaponizes the Copilot Agent for zero-click information disclosure attacks, potentially allowing attackers to steal sensitive personal and financial data without user interaction.

The security flaw was revealed as part of Microsoft's March Patch Tuesday security update, which addressed 83 Common Vulnerabilities and Exposures (CVEs) across Microsoft products. Of these vulnerabilities, two are listed as publicly known, though none are currently under active exploitation according to the disclosure.

March Patch Tuesday Details

This month's security release follows what was described as a significant February Patch Tuesday that included six Microsoft flaws that were exploited as zero-day vulnerabilities. In contrast, March's update showed a more measured scope of publicly disclosed threats.

The Excel vulnerability specifically targets the Copilot Agent functionality, Microsoft's AI-powered assistant integrated into Office applications. Zero-click attacks are particularly concerning for security professionals because they require no user interaction to execute, making them difficult for users to detect or prevent through behavioral changes.

Information Disclosure Risk

The vulnerability is classified as an information disclosure attack, meaning it could allow unauthorized access to sensitive data stored within Excel files or accessible through the Copilot integration. Personal and financial information would be primary targets for such attacks, given Excel's widespread use for financial planning, business operations, and data analysis.

Microsoft's Patch Tuesday releases typically address vulnerabilities across the company's product ecosystem, including Windows operating systems, Office applications, and cloud services. The March update's 83 CVEs represent a substantial number of security fixes, though the lower number of publicly known vulnerabilities suggests most were identified through internal security research or responsible disclosure processes.