What Happened: A Token Theft Vulnerability in Microsoft 365 Android Apps
The Microsoft 365 Android token theft vulnerability is a software flaw where a leftover debug setting disabled normal security checks, allowing any app on the same device to request and receive Microsoft account tokens without user consent, potentially exposing email, files, calendars, and other data to silent, unauthorized access. Microsoft 365 Android apps share sign-in tokens so you do not have to log in again when moving between Word, Excel, PowerPoint, and other tools. That sharing is supposed to stay inside trusted Microsoft apps. Enclave researchers found that a debug flag, setIsDebugMode(true), had been left on in production builds, skipping the check that blocks untrusted apps. Because the issue lived in a shared Microsoft SDK, it spread across six apps, creating a broad Microsoft 365 Android security problem until Microsoft released an Android app security patch.
Which Apps Were Affected and What Was Exposed?
The token theft vulnerability affected six Microsoft 365 Android applications: Word, Excel, PowerPoint, OneNote, Microsoft Loop, and Microsoft 365 Copilot. These apps use FOCI (Family of Client IDs) refresh tokens to keep you signed in across the Microsoft 365 ecosystem. With the debug flag enabled, any other app installed on the same Android device could ask for those tokens and get them, bypassing passwords, login screens, or Android permission prompts. Once stolen, tokens could grant access to Outlook email, OneDrive or SharePoint files, calendar entries, documents, or Copilot-powered workflows, depending on the account’s entitlements. Because FOCI tokens can be refreshed and reused over long periods, attacker activity could blend into normal traffic and stay hard to spot in sign-in logs. According to Enclave, a malicious app already on the device was enough to exploit this local spoofing flaw.
How Microsoft Responded: Patches and CVEs You Should Know
Microsoft addressed the token theft vulnerability through an Android app security patch released on May 12 as part of its broader updates. The company assigned four CVEs, all classed as spoofing under improper access control (CWE-284): CVE-2026-41100 for Microsoft 365 Copilot, CVE-2026-41101 for Word, CVE-2026-41102 for PowerPoint, and CVE-2026-42832 for Excel and related Office configurations. NVD lists Word for Android build 16.0.19822.20190 as the patched version, with earlier builds affected; the other applications received fixes via Google Play updates on the same timeline. Loop and OneNote were also vulnerable but did not receive separate CVEs in the May batch. There is no public evidence so far that the token theft vulnerability was exploited before the patch. However, the disclosure of setIsDebugMode(true) on June 2 means details are now available to attackers as well as defenders.
What Individual Users Should Do Now
If you use Microsoft 365 on Android, treat this as a priority security cleanup. First, open Google Play and update Word, Excel, PowerPoint, OneNote, Microsoft Loop, and Microsoft 365 Copilot to the latest versions; do not keep any of them on older builds such as Word before 16.0.19822.20190. Next, review installed apps and remove anything you do not recognize or no longer need, focusing on apps that had access while your Microsoft 365 apps were outdated. Then sign out and sign back in to your Microsoft 365 account on mobile and web to force fresh tokens. Finally, review connected app permissions and account access in your Microsoft 365 or Microsoft account portal, revoking any third-party apps you do not use. Enable multi-factor authentication and alerts for sign-in activity to reduce the impact if stolen tokens were already abused.
Guidance for IT Teams: Verification, Revocation, and Governance
IT and security teams should verify that all managed Android devices have received the relevant Microsoft 365 Android security updates. Use your MDM or EMM platform to enforce Google Play updates for Word, Excel, PowerPoint, OneNote, Microsoft Loop, and Microsoft 365 Copilot, and confirm no devices remain on versions earlier than the patched builds (for example, pre-16.0.19822.20190 for Word). For higher-risk accounts that used affected apps before May 12 alongside untrusted or loosely governed Android apps, revoke refresh tokens and force reauthentication; FOCI refresh tokens can outlive app updates, so patching alone does not invalidate tokens attackers may already hold. Examine sign-in and OAuth consent logs for unusual patterns, such as mobile sign-ins tied to unexpected device identifiers or app IDs. Finally, tighten Android app governance policies, limiting third-party installations on devices that access Microsoft 365 and aligning mobile controls with your broader identity protection strategy.
