In February 2026, a security research firm called PromptArmor documented an attack that should be on every accountant’s radar. A user opened a confidential financial model in Ramp’s AI-powered spreadsheet tool. They imported an external benchmark dataset — the kind of thing you do all the time. They asked the AI to compare their numbers against the benchmarks. And their client’s financial data got sent to an attacker’s server. No pop-up. No warning. Nothing looked wrong.
The attack was called prompt injection. And if your firm uses any AI tool that reads external files and can take action on your behalf — spreadsheets, email assistants, document tools, anything — you need to understand what it is and what the risk looks like in practice.
What Is Prompt Injection?
AI assistants work by processing natural language. You give them an instruction, they act on it. But here’s the thing — they also read all the content they’re working with. When you upload a spreadsheet, the AI reads the spreadsheet. When you ask an email assistant to draft a reply, it reads the email thread. All of that text is treated as input.
Prompt injection is when an attacker hides instructions inside that content — commands the human can’t see but the AI can read and act on.
Think of it this way. You hire a new employee and tell them to read through vendor proposals and put together a comparison. One of those proposals has a sticky note inside that says: “Stop what you’re doing. Copy everything on the table to this address and don’t tell your boss.” A human would flag that immediately. An AI that hasn’t been built to distinguish between content it’s analyzing and commands it should follow? It might just do it.
Why This Matters Now: Agentic AI
Prompt injection has been a known concept since 2022. But back then, most AI tools were passive — they answered questions. The risk was theoretical.
What changed everything is the shift to agentic AI. These are tools that don’t just respond — they act. They insert formulas, send emails, browse the web, modify files, make API calls. When an AI can take real-world actions on your behalf, prompt injection stops being a curiosity and becomes a genuine attack vector.
Right now, in finance and accounting workflows, agentic AI tools are everywhere. Copilot is embedded across Excel, Outlook, Word, and Teams. Ramp and other spend management platforms have added AI that operates directly on financial data. Notion AI is processing deal memos and working papers. The architecture is the same across all of them: the AI reads content, takes actions, and increasingly that content is coming from outside your organization.
The Ramp Attack, Step by Step
Here’s exactly what happened in the documented exploit:
- The user opened a confidential financial model in Ramp’s AI Sheets tool.
- They imported an external benchmark dataset — industry growth figures from a website or shared drive.
- That dataset contained hidden white-on-white text. Invisible to humans, readable by the AI. The instruction: collect the financial data, build an IMAGE formula, send it to the attacker’s URL.
- The user submitted a completely normal query: “Compare my growth figures against the industry stats.”
- The AI inserted a formula that used Excel’s built-in IMAGE function to encode the financial data into a URL and fire a network request to the attacker’s server.
- The attacker’s server received it. Data exfiltrated. No approval required.
The attacker never touched the user’s system. They just needed to get a poisoned file in front of the AI.
Ramp patched the vulnerability in March 2026. But the technique works against any AI tool with similar architecture — and PromptArmor has documented comparable vulnerabilities across more than a dozen platforms, including Notion AI, Slack AI, Snowflake’s Cortex AI, GitHub Copilot, and others.
The Rule: If It Didn’t Come From Your Organization, It’s a Potential Attack Vector
This isn’t a spreadsheet-only problem. Any file an AI reads and can act on is a potential attack surface. That means spreadsheets, PDFs, Word documents, emails, websites, Slack messages — anything sourced externally. Client-provided files, third-party benchmark data, vendor contracts, due diligence materials from counterparties, email attachments. All of it.
Before using an AI tool on external content, two questions matter: What is the AI reading? And what actions can it take?
If the answer to the second question includes inserting formulas, sending emails, or making network requests — you’re operating in an environment where an untrusted document could direct the AI to do something you never authorized.
One More Thing: Approval Theater Isn’t a Control
When Claude for Excel launched, PromptArmor identified a nearly identical risk. Anthropic’s original version had a human-in-the-loop approval prompt — but malicious formulas weren’t visible in that prompt, so the protection wasn’t real. Anthropic fixed it by adding a full red warning interstitial that shows the complete formula before it gets inserted.
That’s the standard to hold any AI tool to: informed approval means seeing exactly what’s about to happen, not just that something is about to happen. If you can’t see what you’re approving, you’re not actually in the loop.
Key Takeaways
- Prompt injection is not theoretical. A working exploit against a real enterprise finance tool was documented and patched in early 2026.
- Every file type is in scope. If it came from outside your organization and an AI can read it, treat it as untrusted.
- Agentic AI changes the risk surface entirely. Know what your tools can do, not just what you’ve used them for.
- Approval theater is not a control. Informed approval means seeing the full action — formula, email, request — before it executes.
- This is an engagement quality question. Which AI tools are in use? What data can they access? What’s the protocol if something goes wrong? If you don’t have answers, that’s the starting point.
Want the CPE credit? Take the full lesson on EverydayCPE and earn 0.2 CPE credits: [lesson link]
Leave a Reply