What the Microsoft 365 Android token flaw means
The Microsoft 365 Android vulnerability is a security flaw where a debug setting in several Microsoft 365 Android apps disabled token security checks, allowing any installed app on the same device to request, receive, and misuse account tokens without user interaction or visible prompts. In normal operation, Microsoft 365 apps share authentication tokens so users sign in once and move between Word, Excel, PowerPoint, and other tools. A shared Microsoft SDK is supposed to verify that only trusted Microsoft apps can request those tokens. Researchers at Enclave found that a development line, setIsDebugMode(true), was left active in production builds, skipping that trust check. As a result, a malicious app already installed on the device could obtain FOCI single sign-on tokens, silently access email, files, calendars, and documents, and act as the user without passwords or login screens.
Which Microsoft 365 Android apps were exposed and how the bug worked
The account token theft issue affected six major Microsoft 365 Android applications: Word, Excel, PowerPoint, OneNote, Microsoft Loop, and Microsoft 365 Copilot. These apps use FOCI (Family of Client IDs) tokens to support single sign-on, so a sign-in to one app grants seamless access to others. Because setIsDebugMode(true) was left enabled in a shared SDK, the security check that restricts token sharing to trusted Microsoft apps was disabled. Any other app on the same Android device could ask for the signed-in user’s token and receive it, with no password prompt, permission dialog, or visible warning. Enclave built a working proof-of-concept third-party app that pulled tokens and then read email from the linked account. Microsoft described these issues as local spoofing flaws under improper access control, since exploitation required a malicious or compromised app already present on the device.
What the May 12 Android security patch fixed
Microsoft released an Android security patch on May 12 that re-enabled the token security checks and closed the unintended trust gap between Microsoft 365 apps and other apps on the device. According to Enclave, the vulnerable logic sat inside a shared Microsoft SDK, so fixing that component removed the flawed behavior across Word, PowerPoint, Excel, OneNote, Microsoft Loop, and Microsoft 365 Copilot. Microsoft issued four CVEs for these local spoofing issues: CVE-2026-41100 for Microsoft 365 Copilot, CVE-2026-41101 for Word, CVE-2026-41102 for PowerPoint, and CVE-2026-42832 for Microsoft Office, including Word and Excel for Android. NVD lists the patched Android Word build as 16.0.19822.20190, with earlier versions affected. Importantly, the Android security patch stops new token theft but does not automatically invalidate any FOCI refresh tokens that attackers may already have obtained before users updated their apps.
Steps individual users should take now
If you use Microsoft 365 apps on Android, treat this as a priority mobile app security issue. First, open Google Play and update Word, Excel, PowerPoint, OneNote, Microsoft Loop, and Microsoft 365 Copilot to the latest versions, ensuring Word is at or beyond build 16.0.19822.20190. Remove any untrusted or unnecessary apps that might request tokens in the background. Because FOCI refresh tokens can outlive an app update, sign out and sign back in to your Microsoft 365 apps to force fresh tokens, especially if your device previously ran vulnerable versions alongside unknown third-party apps. Review your Microsoft account’s recent activity for unfamiliar sign-ins, new devices, or unusual access patterns. If anything looks suspicious, reset your password, enable multifactor authentication, and revoke existing sessions so attackers cannot reuse any stolen tokens.
What IT and security teams should audit and enforce
For IT admins, this Microsoft 365 Android vulnerability is a reminder that Android app governance is now part of Microsoft 365 identity protection. Verify that all managed Android devices run patched builds of Word, Excel, PowerPoint, OneNote, Microsoft Loop, and Microsoft 365 Copilot, and enforce Play Store or enterprise app updates through MDM. Confirm that no devices remain on Word builds earlier than 16.0.19822.20190. Review policies for third-party app installations, especially on unmanaged or loosely managed devices that access Microsoft 365. Examine sign-in and token activity for high-risk users who used affected apps before May 12, prioritizing accounts with access to sensitive email, files, or Copilot-powered workflows. Where feasible, revoke existing refresh tokens and require reauthentication. Treat this as a chance to tighten mobile app security baselines and to add Microsoft 365 Android app version checks to your normal patch verification process.
