What the Microsoft 365 Android Token Vulnerability Is
The Microsoft 365 Android vulnerability is a token theft bug where a leftover debug setting disabled security checks, allowing any installed app on the same device to request and receive Microsoft account tokens from trusted apps without user interaction or visible prompts. Researchers at Enclave found that a shared Microsoft SDK shipped with setIsDebugMode(true) enabled, which turned off the verification that should limit token sharing to trusted Microsoft apps only. As a result, Word, Excel, PowerPoint, OneNote, Microsoft Loop, and Microsoft 365 Copilot for Android could hand over FOCI single sign-on tokens to an untrusted app. Those tokens could then provide access to email, files, calendar entries, documents, and messages as the signed-in user. Microsoft treated this as a local spoofing flaw and issued patches on May 12 through an Android security patch and Microsoft’s IT security update process.
How Account Token Theft Worked Across Microsoft 365 Apps
Microsoft 365 Android apps are designed to share authentication so signing into Word signs you into Excel, PowerPoint, or Copilot without another login. That handoff should stay within trusted Microsoft apps by checking who is asking before sharing account tokens. With setIsDebugMode(true) left on in production, that gatekeeping check was skipped, and any other app on the phone could request those tokens. Enclave’s proof of concept showed an unverified third-party app silently pulling FOCI tokens and then reading email, browsing files, or viewing calendar data with no password, login screen, or suspicious Android permission prompt. SecurityWeek described a plausible scenario where a malicious update to an already installed app requests tokens in the background and exfiltrates them. Because FOCI tokens are refreshable and designed for long-lived cross-app access, their use can blend into normal traffic, making account token theft hard to spot in routine logs.
Which Microsoft 365 Android Apps Were Affected and Patched
Six major Microsoft 365 Android apps were affected: Word, Excel, PowerPoint, OneNote, Microsoft Loop, and Microsoft 365 Copilot. Teams used the same SDK flag set to false and was not impacted, which Enclave sees as configuration drift rather than intentional design. Microsoft assigned four CVEs to the problem: CVE-2026-41100 for Copilot, CVE-2026-41101 for Word, CVE-2026-41102 for PowerPoint, and CVE-2026-42832 covering Microsoft Office components including Word and Excel for Android. According to NVD records, the Word fix appears in Android build 16.0.19822.20190, with earlier versions vulnerable; other apps were corrected via the same Google Play update channel. Microsoft pushed the Android security patch and related IT security update on May 12, with PowerPoint’s fix also distributed that day through Google Play. There is no public evidence so far that attackers exploited the bug before disclosure, but exposure on unmanaged devices remains a realistic concern.
What IT Teams Must Verify Right Now
IT admins should immediately confirm that all managed Android devices have the patched versions of affected Microsoft 365 apps. Use mobile device management to enforce Google Play updates and verify that Word is at or above build 16.0.19822.20190, with similar checks for Excel, PowerPoint, OneNote, Microsoft Loop, and Microsoft 365 Copilot. For users who ran vulnerable builds alongside untrusted or loosely governed apps, review sign-in and access logs for unusual patterns, especially for higher-risk accounts with access to sensitive email or documents. Focus on activity originating from Android clients that might indicate account token theft via this Microsoft 365 Android vulnerability. Admins should also examine third-party app policies on work and bring-your-own devices, tightening rules on unverified app installation and automatic updates. This incident underlines that Android app governance now belongs alongside Microsoft 365 identity and access controls, especially where mobile devices access corporate data.
Actions End Users Should Take to Protect Their Accounts
End users should update all Microsoft 365 Android apps without delay. Open the Google Play Store and install the latest versions of Word, Excel, PowerPoint, OneNote, Microsoft Loop, and Microsoft 365 Copilot to ensure the Android security patch is applied. Because FOCI refresh tokens can outlive an app update, IT teams may revoke refresh tokens for at-risk accounts and force a fresh sign-in; users should cooperate with re-authentication prompts. On personal and work phones alike, remove unneeded or untrusted apps, especially those installed from outside official stores, to cut off potential token-stealing paths. Monitor Microsoft 365 account activity pages for unfamiliar sign-ins or access from unexpected Android devices and report anything suspicious to IT. For many organizations, this is a good moment to remind users that mobile devices are full participants in corporate identity, not secondary, less important endpoints.
