What the Microsoft 365 Android Vulnerability Means
The Microsoft 365 Android vulnerability is a token security flaw where a debug flag in several Microsoft 365 apps disabled checks that should restrict account-token sharing to trusted apps, allowing any other app on the same device to request and receive those tokens without prompts, and then use them to access emails, files, calendars, and other data as the signed-in user. In practice, this meant that if a user had Word, Excel, PowerPoint, OneNote, Microsoft Loop, or Microsoft 365 Copilot installed, a malicious or compromised app on the same Android device could silently pull their authentication tokens. No password entry, login screen, or obvious Android permission dialog would appear. The flaw sat inside a shared Microsoft software development kit, so it repeated across multiple apps until Microsoft released patched builds, which users now need to install.
How the Debug Flag Enabled Account Token Theft
At the core of this Android security flaw was a single line of code: setIsDebugMode(true). That leftover debug setting told the shared Microsoft SDK to skip the check that should block untrusted apps from receiving tokens during cross-app sign-in. Microsoft 365 apps intentionally share authentication so users do not need to sign in again when moving between Word, Excel, PowerPoint, and related tools, but that sharing is supposed to stay within Microsoft’s trusted applications. Enclave’s researchers demonstrated that, with the debug mode active, any app on the device could request these FOCI (Family of Client IDs) tokens and then refresh and reuse them over long periods. Because FOCI traffic looks routine, “the resulting traffic looks routine in logs” and gives defenders few obvious clues. A malicious update to an already installed app could quietly pull tokens in the background and send them to an attacker.
Which Microsoft 365 Android Apps Were Exposed
The vulnerability affected six widely used Microsoft 365 Android apps: Word, PowerPoint, Excel, OneNote, Microsoft Loop, and Microsoft 365 Copilot. Enclave noted that Teams shipped with the same debug flag set to false and was not impacted, which points to a configuration slip rather than an intentional design. The flaw was classified by Microsoft as a set of local spoofing issues under improper access control. Microsoft issued four CVEs on May 12: CVE-2026-41100 for Microsoft 365 Copilot, CVE-2026-41101 for Word, CVE-2026-41102 for PowerPoint, and CVE-2026-42832 for Excel and related Microsoft Office Android configurations. NVD records list the patched Word build as 16.0.19822.20190, with earlier versions affected. Loop and OneNote received fixes through the same Google Play distribution, even though they did not receive separate CVE identifiers in that batch.
Immediate Steps for Users: Update and Reset Sessions
For individual users, the priority is to install the Microsoft 365 patch update for all affected Android apps. Open Google Play, search for Word, Excel, PowerPoint, OneNote, Microsoft Loop, and Microsoft 365 Copilot, and apply available updates so your device moves off builds earlier than Word’s 16.0.19822.20190. This closes the hole but does not remove tokens that might already have been stolen, because FOCI tokens can survive app updates and continue to refresh. To reduce that risk, sign out of Microsoft 365 sessions on your Android device and sign back in, which forces new tokens to be issued. Where possible, also change your password and enable multi-factor authentication to limit the value of any lingering tokens. If you remember installing untrusted or little-known apps alongside these Microsoft tools, treat your account as higher risk and review recent activity.
Actions for IT and Security Teams on Android Fleets
IT and security teams should treat this Microsoft 365 Android vulnerability as a prompt to examine both patch status and app governance. First, verify that managed Android devices run patched builds of Word, Excel, PowerPoint, OneNote, Microsoft Loop, and Microsoft 365 Copilot; enforce Google Play updates through mobile device management where possible. According to TechRepublic, exposure is more likely on unmanaged or loosely managed phones that allow broad third-party app installation while accessing Microsoft 365. Next, audit sign-in activity and access logs for higher-risk users who ran vulnerable builds before May 12 and had unverified apps installed. Consider revoking refresh tokens for those accounts so they must sign in again. Finally, tighten policies on third-party Android apps, and treat mobile governance as part of Microsoft 365 identity controls, especially as new projects and AI assistants like Copilot handle increasingly sensitive workflows.
