What the Microsoft 365 Android Account Token Vulnerability Is
The Microsoft 365 Android account token vulnerability is a security flaw where a leftover debug flag in several Microsoft 365 Android applications disabled normal token security checks, allowing any other app installed on the same device to request and receive long-lived account tokens without passwords, login prompts, or user consent, which could then be used to access email, files, calendars, and other data as the signed-in user. Enclave’s researchers traced the issue to a single line in a shared Microsoft SDK: setIsDebugMode(true). This switched off the check that normally limits token handoff to trusted Microsoft apps only. As a result, the trust boundary around Microsoft 365 Android security broke down, turning single sign-on convenience into an account token vulnerability that depended solely on which other apps were present on the device.
How the Debug Flag Broke Android App Security
Under normal conditions, Microsoft 365 Android apps share authentication tokens so users can move from Word to Excel or PowerPoint without signing in again. A verification step is supposed to confirm that only trusted Microsoft apps receive these tokens. In this case, the shared SDK had setIsDebugMode(true) left enabled in production, which skipped that verification step and created a serious Android app security flaw. Any untrusted or malicious app on the same device could request a token from the affected Microsoft 365 apps and get it without triggering an Android permission dialog or new sign-in. Enclave confirmed the exposed tokens were FOCI (Family of Client IDs) refresh tokens, designed for cross-app access and able to be reused over long periods. Because their use looks routine in logs, token abuse could blend into normal Microsoft 365 traffic, making detection harder for security teams.
Affected Microsoft 365 Android Apps, CVEs, and Patch Timeline
The vulnerability impacted six Microsoft 365 Android applications: Word, Excel, PowerPoint, OneNote, Microsoft Loop, and Microsoft 365 Copilot. Microsoft Teams used the same SDK pattern but shipped with the debug flag set to false, so it was not exposed. Microsoft classified the issue as a set of local spoofing flaws under improper access control and issued four CVEs on May 12: CVE-2026-41100 for Microsoft 365 Copilot, CVE-2026-41101 for Word, CVE-2026-41102 for PowerPoint, and CVE-2026-42832 for Excel and Office for Android. According to NVD records, patched Word builds for Android start at 16.0.19822.20190, with earlier versions vulnerable. Microsoft pushed fixes through its regular Patch Tuesday and Google Play updates, and there is currently no public evidence of in-the-wild exploitation before these patches were released and Enclave’s research was published on June 2.
Practical Risk: How Untrusted Android Apps Could Steal Tokens
This account token vulnerability was local rather than remote, but the practical risk is significant wherever Android devices mix Microsoft 365 with third-party apps. A malicious or compromised app installed on the same device could silently request FOCI tokens from Word, Excel, PowerPoint, OneNote, Loop, or Microsoft 365 Copilot and then use them to read email, open documents, browse calendar items, or send messages as the user. SecurityWeek described one attack path as a malicious update to an already-installed app, which could begin requesting tokens in the background with no visible change for the user. Because FOCI refresh tokens survive app updates, any tokens captured before May 12 patches would remain usable until revoked. Exposure is higher on unmanaged or lightly managed Android devices that allow broad app installation while also accessing corporate Microsoft 365 resources.
Action Plan for IT Teams: Verify Patches and Lock Down Tokens
IT and security teams should start with patch verification. Confirm all Android devices running Microsoft 365 apps have received current updates for Word, Excel, PowerPoint, OneNote, Microsoft Loop, and Microsoft 365 Copilot, ensuring Word builds are at or beyond 16.0.19822.20190. Use mobile device management tools where available to enforce Google Play updates and block the use of outdated app versions. Next, review third-party app policies on Android, tightening installation rules for unmanaged apps, especially on devices that handle sensitive work or access Microsoft 365 Copilot. For accounts that used vulnerable builds alongside untrusted or unknown apps, revoke refresh tokens and force reauthentication so any intercepted FOCI tokens become useless. Finally, examine sign-in and token activity for higher-risk users, watching for unusual access patterns that might reflect token reuse originating from unexpected devices or app identifiers.
