What the Microsoft 365 Android Token Vulnerability Is
The Microsoft 365 Android vulnerability is a security flaw in several Microsoft 365 mobile apps where a leftover debug flag disabled normal token validation, allowing any other app on the same device to request and receive Microsoft account tokens without user interaction or additional permissions, potentially granting silent access to email, files, calendars, and messages. This app security flaw centers on how Microsoft 365 apps share sign-in tokens so users can move between Word, Excel, PowerPoint, and related tools without logging in again. A development setting called setIsDebugMode(true) was mistakenly left enabled in production within a shared Microsoft SDK, bypassing the check that should restrict tokens to trusted Microsoft apps. Because these tokens are FOCI refresh tokens, an attacker with a malicious app could gain long-lived access that looks normal in logs and leaves no visible sign on the device.
Which Microsoft 365 Android Apps Were Affected and How
The flaw hit six heavily used Microsoft 365 Android apps: Word, Excel, PowerPoint, OneNote, Microsoft Loop, and Microsoft 365 Copilot. These apps intentionally share authentication tokens so users sign in once and stay connected across the suite. The problem was that the debug flag removed the safeguard that limits token sharing to trusted Microsoft apps, opening the door for account token theft by any other installed app. Enclave researchers Yanir Tsarimi and Ofek Levin demonstrated a proof-of-concept where an unverified third-party app pulled tokens and read email without a password, login screen, or suspicious Android permission prompt. Microsoft classified the issue as a local spoofing flaw based on improper access control, because the attack path starts with a malicious or compromised app already present on the device rather than a remote exploit delivered from outside.
What Microsoft’s Patch Changes and the Limits of the Fix
Microsoft issued an Android security patch for the affected apps on May 12, restoring the token validation that restricts access to trusted Microsoft 365 apps only. According to Enclave, the vulnerable code lived inside a shared Microsoft SDK, so fixing that logic and shipping updated app builds closes the Microsoft 365 Android vulnerability across the suite. Four CVEs describe the issue: CVE-2026-41100 for Microsoft 365 Copilot, CVE-2026-41101 for Word, CVE-2026-41102 for PowerPoint, and CVE-2026-42832 covering Word and Excel for Android. However, the patch does not retroactively invalidate FOCI refresh tokens that may have been stolen before devices updated. Those tokens can be refreshed and reused over long periods, with resulting traffic that blends into normal sign-in patterns. That means organizations must combine app updates with identity actions like token revocation to fully cut off any silent access already granted.
Immediate Steps for Individual Users on Android
For individual users, the first priority is to install the latest updates for all affected Microsoft 365 apps on Android: Word, Excel, PowerPoint, OneNote, Microsoft Loop, and Microsoft 365 Copilot. Use Google Play to apply the Android security patch; for Word, NVD records show fixed builds starting at 16.0.19822.20190, with earlier versions vulnerable. After updating, review your app list and uninstall untrusted or unnecessary apps, since this attack depends on another app requesting your tokens. Check app permissions, especially for apps that can access the internet, files, or notifications, and disable anything that does not make sense. If you suspect your device ran old Microsoft 365 builds alongside suspicious apps, sign out of Microsoft 365 on that device, then sign back in to refresh tokens. Also consider enabling multi-factor authentication so stolen tokens alone are less useful to attackers.
Guidance for IT and Security Teams Managing Microsoft 365
IT and security teams should treat this Microsoft 365 Android vulnerability as a governance wake-up call for mobile access. Confirm that managed Android devices have received the patched versions of Word, PowerPoint, Excel, OneNote, Microsoft Loop, and Microsoft 365 Copilot, enforcing Google Play updates via mobile device management where possible. TechRepublic notes that exposure is higher on unmanaged or lightly managed devices that allow broad third-party app installation while accessing Microsoft 365. Review mobile app policies, block unverified app sources, and tighten rules around sideloading. Examine sign-in logs for high-risk users who used affected apps before May 12, focusing on unusual access patterns. Because FOCI tokens can survive app updates, consider revoking refresh tokens for accounts that may have shared a device with dubious apps, forcing new sign-ins. Finally, document a playbook that pairs Android app governance with broader Microsoft 365 identity controls.
