What the Microsoft 365 Android token flaw is and why it matters
The Microsoft 365 Android token flaw is a security issue where a debug setting in several Microsoft 365 apps disabled checks that should prevent untrusted apps from receiving account tokens, allowing other apps on the same device to silently obtain and reuse those tokens to access business data. In normal use, Microsoft 365 Android security relies on shared tokens so users sign in once and move between Word, Excel, PowerPoint and other apps without re-entering credentials. A leftover development flag, setIsDebugMode(true), turned off the gatekeeper that should restrict token sharing to trusted Microsoft apps. As a result, any untrusted Android app installed on the device could request those tokens and gain account-level access without a password, login prompt, or visible permission dialog, creating a serious Android app vulnerability for organizations that rely on Microsoft 365.
How attackers could use account token theft on Android
In the vulnerable versions, six Microsoft 365 Android apps—Word, Excel, PowerPoint, OneNote, Microsoft Loop, and Microsoft 365 Copilot—would hand over FOCI refresh tokens to any other app on the device that asked. These tokens underpin single sign-on for Microsoft 365, so once stolen they could be refreshed and reused over long periods while the network traffic looked routine. Enclave’s researchers built a proof-of-concept unverified app that silently pulled tokens and then read email from the linked account without any password or sign-in screen. SecurityWeek described how a malicious update to an already installed Android app could request tokens in the background and send them out without showing a new permission prompt. Depending on which Microsoft 365 Android apps were installed, attackers could access email, files, calendars, documents, or even Copilot-driven workflows tied to sensitive business processes.
What Microsoft fixed and which app versions are affected
Microsoft addressed the account token theft issue in a shared SDK and pushed security patch updates for all six affected Microsoft 365 Android apps via Google Play and Patch Tuesday on May 12. According to The Hacker News, Microsoft assigned four CVEs: CVE-2026-41100 for Microsoft 365 Copilot, CVE-2026-41101 for Word, CVE-2026-41102 for PowerPoint, and CVE-2026-42832 covering Microsoft Office, including Word and Excel for Android. NVD lists the patched Word build as 16.0.19822.20190, with earlier releases vulnerable. Teams used the same framework but shipped with the debug flag switched off, so it was not affected. Microsoft classified the issue as a local spoofing flaw under improper access control, since an attacker first needs a malicious app present on the device. There is no public evidence so far that the bug was exploited before the fix, but the exposure window was wide.
Steps for individual users: verify and secure your Android apps
If you use Microsoft 365 apps on Android, start by updating Word, Excel, PowerPoint, OneNote, Microsoft Loop, and Microsoft 365 Copilot from the Google Play Store. Open each app’s page and confirm you are on the latest available version; for Word, anything earlier than 16.0.19822.20190 should be treated as unsafe. Turn on automatic updates in the Play Store so future security patch updates arrive without delay. Next, review installed apps and remove any you do not recognise or no longer need, especially those sideloaded from outside Google Play. Because FOCI refresh tokens can outlive an app update, consider signing out and back into your Microsoft 365 account on devices where you previously ran vulnerable builds alongside untrusted apps. For accounts handling more sensitive data, enable multi-factor authentication to add another barrier even if a token is misused.
Guidance for IT and security teams managing Microsoft 365 on Android
IT teams should treat this Android app vulnerability as an identity and device governance issue. Begin by inventorying Microsoft 365 Android apps—Word, Excel, PowerPoint, OneNote, Loop, and Microsoft 365 Copilot—across managed fleets and enforcing updated builds through mobile device management. Where possible, block or restrict third-party app installs on devices that access business Microsoft 365 tenants, or require allow-lists. Enclave advises that the patch does not invalidate previously issued FOCI refresh tokens, so for higher-risk users who ran vulnerable versions before May 12 alongside untrusted apps, revoke refresh tokens and force reauthentication. Review sign-in logs for unusual access patterns, especially from mobile clients. This incident shows why Android app governance needs to sit next to Microsoft 365 identity controls, particularly as projects like Solara and Copilot expand the role of mobile apps in everyday business workflows.
