Executive Briefing by Exposure Security • Based on LayerX Research (Feb. 9, 2025)
On February 9, 2026, security firm LayerX published research showing a serious flaw in Claude Desktop Extensions that allows an attacker to take over a user's computer by sending them a calendar invitation containing hidden instructions.
However, this is part of a larger issue: AI tools that can both read untrusted (e.g.: external) content and take actions can be tricked into doing harmful things by hidden instructions in that content.
| Product | What Is It | Risk | Enterprise Controls |
|---|---|---|---|
| Claude Desktop + Extensions | Desktop app + plugin marketplace | Critical | Team/Enterprise plans: central deployment, extension allowlist. Without a plan: no visibility. Shadow IT risk. |
| Claude in Excel | Claude add-in for Excel | High | M365 admin can deploy/block. No audit logs or data retention controls yet. |
| Claude in PowerPoint | Claude add-in for PowerPoint | High | M365 admin can deploy/block. No audit logs or data retention controls yet. |
| claude.ai (website) | Web browser chat interface | Lower | SSO, data retention settings, audit logs (Enterprise plan). |
| Claude API | Developer integration | Varies | You control the implementation. Build your own guardrails. |
Claude Desktop is a standalone application (Mac/Windows) that runs Anthropic's Claude AI locally, separate from the claude.ai website.
Claude Desktop Extensions (DXT) is a plugin marketplace that lets users add capabilities to Claude Desktop (connecting it to Google Calendar, local files, terminal commands, databases, and other tools). Think of it like browser extensions, but for the Claude desktop app.
Claude in Excel / Claude in PowerPoint are Claude add-ins that appear as sidebars in Excel and PowerPoint, respectively. They can read, edit, and create content in your documents.
Claude Desktop + Extensions (Critical): Unlike browser extensions, Desktop Extensions run with full access to the user's computer — files, passwords, terminal commands, everything. LayerX demonstrated that an attacker can take over a computer by sending someone a calendar invitation. When the user asks Claude to "check my calendar," Claude reads hidden instructions in the malicious event and executes them. The user sees nothing suspicious. Anthropic says this is working as designed and will not fix it.
Claude in Excel and PowerPoint (High): Anthropic's own documentation warns: "Only use Claude in Excel with trusted spreadsheets and not spreadsheets from untrusted (e.g.: external) untrusted sources..." Our testing has identified edge scenarios where Claude in Excel can be manipulated to extract and share sensitive information with bad actors. A malicious spreadsheet emailed to an employee could trick Claude into leaking data or modifying financial models.
Is this just a Claude problem? No. Any AI tool that can read untrusted (e.g.: external) content (files, emails, calendar) AND take actions (edit documents, run commands, send data) has this type of risk. This includes Microsoft Copilot, Google Gemini, and OpenAI products when configured with similar capabilities. The common factor is the combination of untrusted (e.g.: external) data ingestion plus the ability to perform actions (especially as a privileged user). Evaluate all AI tools in your environment using the same criteria.
If you only read this far:
Claude Desktop is a standalone Mac/Windows application released in late 2024. By itself, it's just a chat interface, similar to the website but running locally. Claude Desktop Extensions (DXT) is a plugin marketplace that adds capabilities to Claude Desktop, such as connecting to Google Calendar, accessing local files, or running terminal commands. The vulnerability requires both: the Desktop app plus extensions that combine untrusted (e.g.: external) data access with local execution.
Organizations with Claude Team or Enterprise plans can centrally deploy the app and use an extension allowlist to control which plugins are permitted. But if employees installed it without your organization having a Claude plan, you have no visibility; it's shadow IT.
How to remediate: If you have a Claude Team/Enterprise plan, use the extension allowlist to block risky extensions centrally. The allowlist is managed by organization Owners at Admin settings > Connectors > Desktop tab on claude.ai. If you don't have a Team/Enterprise plan, you must identify affected users via endpoint scan (search for "Claude.app" on Mac or "Claude.exe" on Windows), then either (a) have them uninstall the app entirely, (b) have them manually remove risky extensions from within the app (open Claude Desktop, click the gear icon, select Extensions, and remove extensions that access untrusted (e.g.: external) data or execute commands), or (c) block the application via endpoint management tools like Intune or Jamf.
An Office add-in available through the Microsoft Marketplace. Currently in beta for Pro, Max, Team, and Enterprise plans. It can read entire workbooks, explain formulas, and make changes. IT can deploy or block it centrally via Microsoft 365 admin center (admin.microsoft.com > Settings > Integrated apps). However, Anthropic notes that conversations with Claude in Excel are not currently included in enterprise audit logs.
How to remediate: Your M365 admin can block or remove the add-in centrally via Microsoft 365 admin center (admin.microsoft.com > Settings > Integrated apps). You can also prevent users from installing add-ins themselves. If keeping it enabled, train users to never use it with untrusted data.
Similar to the Excel add-in (a sidebar that can read, edit, and create presentation content). Same marketplace deployment, same enterprise control limitations. Same remediation steps as Excel.
Claude Desktop Extensions are built on the Model Context Protocol (MCP), an open standard Anthropic created to let AI tools connect to untrusted (e.g.: external) data sources and take actions. MCP is what allows extensions to access your calendar, files, terminal, and other systems. The vulnerability exists because MCP-connected tools run with full system privileges and Claude can chain them together autonomously.
Anthropic's position is that users are responsible for what extensions they install: "We recommend that users exercise the same caution when installing MCP servers as they do when installing third-party software."
On the Office add-ins, Anthropic acknowledges the risk in documentation but considers it user responsibility to only open trusted files.
In plain terms: Anthropic believes these are user responsibility issues. Do not expect fixes that restrict functionality.
This is not just an Anthropic problem. Any AI tool that can both read untrusted (e.g.: external) content and take automated actions has this category of risk. Microsoft Copilot, Google Gemini, and OpenAI products all have versions or configurations with similar capabilities.
The specifics vary by product: what data sources it can read, what actions it can take, what guardrails exist. Claude Desktop's extensions are explicitly documented as running un-sandboxed with full system privileges, which is why they received the most attention in this research.
Review all AI tools in your environment. Ask: Can this tool read files or data (especially from outside our organization)? Can it take automated actions (e.g.: editing documents, sending data, running commands)? If yes to both, you have this category of risk regardless of vendor.
| Task | Time | Owner |
|---|---|---|
| Scan for Claude Desktop installs (with endpoint management tools) | 2-4 hours | IT |
| Audit Office add-in deployments (via M365 admin center) | 1-2 hours | IT / M365 Admin |
| Remediate affected installs (uninstall or reconfigure) | 15-30 min each | IT / User |
| Draft user guidance on AI tools and untrusted data | Half day | Security |
| Update AI tools policy | 1-2 days | Security / GRC |
Three Anthropic products (Claude Desktop + Extensions, Claude in Excel, and Claude in PowerPoint) can be tricked by malicious content (calendar invites, spreadsheets, files). Desktop + Extensions is the most dangerous (full system access); the Office add-ins are more contained but still risky. Find out what's installed. For Desktop, remove risky plugin combinations or block entirely. For the Office add-ins, warn users to only use them with trusted data. We haven't seen reports of active exploitation yet, but now that this is public knowledge and the attack is straightforward, we expect attacks have begun.
This briefing is part of Exposure Security's ongoing executive intelligence series. For questions about how this applies to your organization specifically, contact us.