March 13, 2026 · 7 min read · Edition #23

Copilot Zero-Click Flaw + Jha Retirement + AI-Found RCE | March 2026

A critical zero-click Copilot vulnerability requires immediate patching. An AI agent discovered a CVSS 9.8 RCE in Microsoft code. And Rajesh Jha — the architect of M365 and Copilot — is retiring after 35 years, triggering the biggest leadership restructure in a decade. Also: Dynamics 365 DMF endpoints are being deprecated.

📋 TL;DR — What You Need to Know

🚨 CVE-2026-26144: Zero-click Copilot vulnerability enables silent data exfiltration — patch NOW
🤖 CVE-2026-21536: AI agent discovered a CVSS 9.8 RCE — first major instance of AI finding critical production bugs
🔴 Patch Tuesday: 84 vulnerabilities fixed including SQL Server escalation to sysadmin
👋 Rajesh Jha retiring July 1 — 35 years at Microsoft, architect of M365, Windows, Teams, and Copilot
📊 Jeff Teper promoted to EVP — New leadership structure with direct reports to Nadella
⚠️ Dynamics 365 DMF deprecation — Start migration planning now

🚨 The Copilot Zero-Click Nightmare (CVE-2026-26144)

If you've deployed Microsoft 365 Copilot, stop reading and patch. Seriously.

Security researchers disclosed a critical XSS vulnerability in Excel that chains with indirect prompt injection to weaponize Copilot Agent. The attack requires zero user interaction — no clicking, no opening suspicious files. The Copilot Agent can be triggered to silently exfiltrate sensitive data from your tenant.

⚠️ The severity: This isn't theoretical. The exploit path is documented and reproducible.

Immediate Actions:

Apply March 2026 patches to all M365 Apps deployments
If patching is delayed: disable Office preview pane and review Copilot Agent network permissions
Alert your security team to monitor for unusual Copilot activity

🤖 AI Finds AI's Vulnerabilities (CVE-2026-21536 — CVSS 9.8)

In what might be the most cyberpunk development of 2026: an AI agent discovered a critical RCE vulnerability in Microsoft's Devices Pricing Program. The flaw scores 9.8 on CVSS — about as bad as it gets.

This marks a significant milestone. AI-powered vulnerability discovery is no longer a research curiosity; it's finding critical production bugs that human researchers missed. Expect this trend to accelerate.

What it means: The security landscape is entering a new phase. AI is finding vulnerabilities faster than humans can patch them. Organizations need to think about AI-powered security testing — both as a tool and as a threat vector.

🔴 The Full Patch Tuesday Damage Report

84 total CVEs this month, including some heavy hitters:

CVE	Impact
CVE-2026-21262	SQL Server escalation to sysadmin (yes, sysadmin)
CVE-2026-26127	.NET DoS affecting runtime stability
Multiple Office RCEs	Preview-pane exploitable — before you even open the file
2 publicly disclosed zero-days	Not yet actively exploited, but the clock is ticking

Action Required: Test and deploy updates across all Windows and Office environments this week. Don't let this one slip.

👋 End of an Era: Rajesh Jha Steps Down

After 35+ years at Microsoft, Rajesh Jha announced his retirement, effective July 1, 2026. For M365 professionals, this is seismic.

Jha was the EVP overseeing Windows, M365 Apps, Teams, and Copilot. He was the architect of the modern Microsoft productivity stack. Everything you use daily? He built the team that built it.

"When I think about the pantheon of leaders who have truly shaped this company, Rajesh stands firmly among them." — Satya Nadella

New Leadership Structure:

Jeff Teper promoted to EVP (SharePoint veteran, strong Copilot advocate)
Kirk Koenigsbauer & Sumit Chauhan promoted to President
Perry Clarke, Charles Lamanna, Pavan Davuluri, Ryan Roslansky now report directly to Nadella

What it means for you: Watch for potential roadmap shifts. Leadership transitions at this level often bring strategic pivots. We'll be tracking closely.

⚠️ Dynamics 365: DMF Endpoint Deprecation Incoming

Several legacy Data Management Framework endpoints are scheduled for removal later in 2026. If your organization has integrations using these endpoints, start migration planning now — not when the deprecation notice hits your inbox.

Integration teams: Audit your DMF dependencies this month. Microsoft's deprecation timelines have been firm lately.

⚡ Quick Hits

Email Security Benchmark — Microsoft updated March 2026 methodology for post-delivery remediation metrics
Tom Arbuthnot's AI Workplace Update — March MVP recap video now on YouTube covering Teams and Copilot announcements

✅ Admin Action Items

[CRITICAL] Deploy March Patch Tuesday updates — ASAP
[CRITICAL] Audit Copilot Agent permissions and network access — This week
[HIGH] Review Dynamics 365 DMF integration dependencies — This month
[HIGH] Brief leadership on Jha transition and potential roadmap impacts — Next sync
[MEDIUM] Disable Office preview pane if patching is delayed — Interim mitigation

🔥 The Bottom Line

This week's theme: the accelerating convergence of AI and security. An AI found a critical vulnerability. A different AI capability (Copilot) is now a verified attack vector. The security landscape is changing faster than most organizations can adapt.

And on the business side, Rajesh Jha's departure marks the end of an era. He built the Microsoft productivity stack that runs most of the enterprise world. Whoever fills that void will shape the next decade of M365.

Your weekend homework: get those patches deployed.

Stay patched, stay sharp. 🔥

Questions about these updates?

Fireside Cloud Solutions can help you audit your Copilot security policies, review patching strategy, and prepare for leadership-driven roadmap changes.

Schedule a Free Consultation →

Fireside Cloud Solutions

Microsoft 365 & Power Platform Consulting · firesidecloudsolutions.com

Sources: Microsoft Security Response Center, M365 Admin Center, Microsoft 365 Roadmap, Microsoft Official Blog
That's the Pulse for this week. Questions? Reply to this newsletter or reach out to your Fireside Cloud Solutions contact.