Microsoft’s March 2026 Patch Tuesday included a fix for CVE-2026-26144, a vulnerability that could allow an attacker to manipulate Copilot’s Agent mode in Excel to silently exfiltrate data across a network. For wealth management firms that live and breathe in Excel — building financial models, tracking client portfolios, running scenario analysis — this one deserves immediate attention. The flaw was detailed by BleepingComputer.

The flaw is particularly nasty because it’s a zero-click attack. There’s no dodgy link to avoid or suspicious attachment to ignore. If Copilot is enabled in your Excel environment, the AI assistant itself becomes the attack vector, potentially sending sensitive spreadsheet data to an external endpoint without any user interaction. Microsoft also patched two critical remote code execution flaws (CVE-2026-26110 and CVE-2026-26113) that can be triggered through the Preview Pane in Outlook and other Office apps — meaning simply previewing a malicious document could compromise a workstation.

The Australian Cyber Security Centre has flagged these patches as essential under the Essential Eight framework, and for good reason. Financial services firms operating under APRA CPS 234 obligations have a regulatory duty to maintain the security of information assets, and unpatched systems are a straightforward compliance failure. If your organisation uses Microsoft 365 with Copilot features enabled, prioritise this update immediately.

Beyond patching, it’s worth reviewing whether Copilot’s network access permissions are appropriately scoped in your environment. Not every user needs AI-assisted features with outbound network capability, and limiting that exposure is a sensible layer of defence. All IT Services supports financial services firms with patch management, Copilot configuration, and Essential Eight alignment.