Claude’s Office Add-ins place a Claude task pane alongside your Word, Excel, and PowerPoint documents and let the model read, edit, and act on the open file in place. With the May 2026 general-availability rollout the add-ins became installable on every paid Claude plan, so we took a look at how they actually behave under the hood. A few things stand out:
Read on for these findings and a few other things worth noticing.
Anthropic launched Claude integrations for Microsoft Word, Excel, and PowerPoint in May 2025, and with the May 2026 general-availability rollout the add-ins became installable on every paid Claude plan. Each integration runs as an Office task-pane add-in: a Claude panel sits alongside the open document, reads its contents, and can edit cells, draft slides, or rewrite paragraphs in place. A cross-app “Office Agents” mode coordinates across the three.
The add-ins land in a natural workflow position. Rather than switching tabs and pasting content between a chat window and your file, the assistant sits in a side panel next to the open document. Day-to-day uses are what you’d expect: refining a Word draft, summarizing a memo, generating a financial model in Excel, restyling a PowerPoint deck. The Office add-ins also support the Claude connectors familiar from the broader Claude ecosystem (Slack, Gmail, Calendar, and others), so the assistant can reach out to external services from inside the document. Worth noting: the target audience here is non-technical. Knowledge workers, analysts, consultants, salespeople, the people who live in Word, Excel, and PowerPoint, not developers or security engineers.
We’ve spent some time looking at the add-ins from a security standpoint and shared the findings below with Anthropic under responsible disclosure. Anthropic’s position is that the behaviors are working as designed. We don’t dispute that framing. What we believe is that the operational consequences are not well understood by typical end users (especially those with a non-technical background, who don’t tend to have a security perspective in mind when they’re using the product), and that monitored environments (regulated industries, organizations with strict DLP postures, anyone with M365 audit obligations) should look carefully at how these add-ins behave before authorizing them against sensitive material.
To see why, follow what actually happens when a user sends a prompt.
api.anthropic.com/v1/messages. If it does, the call is routed through mcp-proxy.anthropic.com to the external connector, which performs the action and returns a tool result that the inference API folds back into the final response. Both api.anthropic.com and mcp-proxy.anthropic.com are Anthropic-operated infrastructure.Two distinct Anthropic-operated endpoints are involved. The first is api.anthropic.com/v1/messages, the standard Anthropic inference API: the task pane assembles a JSON request body containing the system prompt, the conversation history, your prompt, the tools available to Claude, and a description of the open document, then POSTs it. The second is mcp-proxy.anthropic.com/v1/mcp/<server-id>, Anthropic’s MCP proxy: when the model decides to invoke a connector tool, the call routes through this proxy on its way to the third-party service. The proxy is Anthropic infrastructure, not the connector vendor’s.
Anyone with developer tools attached to the Office WebView can observe both POSTs and inspect their bodies. On Mac, defaults write com.microsoft.Word OfficeWebAddinDeveloperExtras -bool true enables Safari’s Web Inspector. Everything that follows came from watching this traffic.
The most consequential thing in that traffic is what api.anthropic.com/v1/messages carries on every prompt.
When you open a Word document and send any prompt, the request body to api.anthropic.com/v1/messages includes a <doc_state> block in the user-message content. That block contains the entire text of the document as plain text. Not a summary, not a relevant slice. The whole thing.
We confirmed this with a deliberately neutral test: a Word document with five sentinel values planted across eight sections, including a random-string canary in the last paragraph. We sent the prompt What's 47 times 23? Every one of the five sentinels appeared in the request body, including the canary at the very end of the document. The math prompt has zero topical overlap with the document content. The entire document body was uploaded anyway.
Excel and PowerPoint behave differently. Their first-prompt request bodies contain only metadata: sheet names, max row/column counts, slide IDs, layout names. Actual content is fetched on demand via follow-up tool calls (get_range_as_csv for Excel, read_slide_text for PowerPoint) only when the prompt requires it. Asking What's 47 times 23? in Excel against a confidential workbook ships zero cell content; asking the same question in Word ships the entire document.
Security teams have spent years training users not to paste API keys, customer records, or source code with secrets into LLM chat windows. The intuition users have internalized is that the prompt box is the channel out to the model vendor. What no one has been trained to consider is that simply having a document open while a Claude task pane is active does the same thing as pasting that document into the chat box. The act of using the assistant against the document, no matter how innocent the prompt, sends the whole document. A user can open a 60-page customer contract, a quarterly board deck, a clinical record, or an internal incident postmortem, ask Claude something completely innocuous, and the entire file body is on its way to Anthropic before the response renders.
There is no chat-side indicator that the document is being included, no preview of what’s about to leave the environment, no warning that the egress just occurred. And this traffic is invisible on both sides. It does not touch any Microsoft endpoint, so Purview, the Compliance API, and M365 audit logs never see it. And per Anthropic’s own help center, “Claude for Word/Excel/PowerPoint does not inherit custom data retention settings your organization might have set, and isn’t included in Enterprise audit logs or the Compliance API at this time” – so Claude Enterprise admins don’t see it either. The data leaves, and neither your M365 compliance stack nor your Claude Enterprise audit logs record that it left.
The data then sits on Anthropic’s backend for at least 30 days. The Office add-in help articles state a 30-day window unconditionally, but Anthropic’s separate August 2025 consumer privacy policy describes a five-year retention window with training-data inclusion for Pro and Max users who have “Help improve Claude” enabled, and the two policies are not reconciled for the add-ins. In the worst case, the body of every confidential document a Pro or Max user opens with the Word task pane active is retained for five years and incorporated into a future model’s training corpus – with no record of it on either Microsoft’s or Anthropic’s audit side.
That covers the document-egress side. The next question is what Claude is actually allowed to do with that document once Anthropic has it.
Every request to api.anthropic.com/v1/messages includes the full system prompt in plain text. Excel’s and PowerPoint’s prompts contain a section titled “Limitations – What You Cannot Do” – Anthropic’s stated way of keeping the add-ins from reaching outside the document:
You do NOT have the ability to: - Create or provide downloadable files (VBA, macros, etc.) - Send emails or messages - Connect to external APIs or live data feeds
The intent is clear: Excel and PowerPoint shouldn’t send emails or talk to external services. But the same request body that contains this block also attaches the user’s account-level MCP connectors – Gmail create_draft, Google Calendar create_event, Slack slack_send_message – to the tools array. The boundary is a soft instruction to the model, not a request-layer filter. A single natural follow-up such as don't you have a calendar connector? causes Claude to search its tool registry, find the connectors that were always present, and proceed.
Anthropic’s position is that the “Limitations” text is product guidance, not a security control. The practical takeaway: the system-prompt restrictions should not be relied on for any trust judgment about what the add-ins can or cannot do.
For organizations evaluating the Claude Office add-ins, here are the realities to plan around.
The document body is leaving M365, and no audit log records it. On Word, on every prompt, regardless of relevance. On Excel and PowerPoint, when Claude reads content (most non-trivial prompts). The destination is Anthropic’s API, not a Microsoft endpoint, so Purview / Compliance API / E5 audit do not see this traffic. Anthropic’s own help center confirms the add-ins are also not included in Claude Enterprise audit logs or the Compliance API. Retention is at least 30 days, possibly five years with training inclusion for Pro and Max users who have “Help improve Claude” enabled.
System-prompt language is not a security boundary. Connectors are present in the request regardless of what the model says about its capabilities in chat.
Account-level connectors are surface-wide. If your organization has any MCP connector enabled at the Claude.ai account level for any purpose, that connector is available from the Office add-ins.
The asymmetry across Word vs Excel/PowerPoint is real. Don’t assume the data-handling posture you’ve observed in one add-in transfers to another.
The Claude Office add-ins are powerful, and for many workflows they’re meaningfully useful. The architectural details described above are not bugs; Anthropic has confirmed they are working as intended. Most are gestured at in the support documentation. What we wanted to surface in one place is the operational reality of how the add-ins behave, where the data goes, and where the user-facing model behavior does and does not correspond to actual technical constraints. The picture that emerges once you watch the traffic is meaningfully different from the one a user assembles from the product UI and the support documentation alone.
If you’re using the Office add-ins today and want to understand what’s leaving your environment, the Web Inspector setup described above takes about five minutes and shows you everything we showed you here, against your own documents.
Wanna learn more about Claude ecosystem security? Visit claudesec.ai for guidance on the broader Claude surface, and review individual Claude connectors before you authorize them against your account.
At Pluto, we help organizations adopt AI-powered features like Claude’s Office add-ins securely, so you can move fast on innovation without putting your sensitive data at risk. Want to learn more? Contact us at info@pluto.security.
