A development flag left in production allowed any app on an Android device to silently take over a Microsoft account.
TL;DR & What Needs To Be Done:
Our research found that any app installed on the same Android device could silently access a Microsoft 365 account’s token. It could then act as the signed-in account (read email, open files, access documents, send messages, view calendars), without the user’s knowledge.
The issue has been patched, but if you use Microsoft 365 apps on Android, update them now. If your organization manages Android devices, make sure Word, PowerPoint, Excel, Microsoft 365 Copilot, Microsoft Loop, and OneNote are on patched versions.
Small Mistakes, Big Prices
A security check only works if it actually runs. In several Microsoft 365 Android apps, it didn’t.
We were looking at one of Microsoft’s Android apps when our AI analysis tool pointed out a vulnerability.
At first, it flagged that a sensitive security check was effectively disabled. Microsoft 365 apps have a feature that shares tokens between apps. If you log in to Word, you don’t need to log in again to PowerPoint. Makes sense.
However, our AI analysis produced a worrying result: not only was the authorization check disabled, it highlighted this vulnerability could be replicated across multiple Microsoft apps because the vulnerable code was inside a shared Microsoft SDK.
We quickly produced a working PoC on an Android device, and were able to access Microsoft account tokens from all the installed apps on our device through a third-party, unverified app, and even read emails:
From the user’s side, there is no indication something is happening. But from the attacker’s side, those tokens were enough to act through the Microsoft account access the app had just handed over.
We confirmed the issue in the following Android apps:
Word
PowerPoint
Excel
Microsoft 365 Copilot
Microsoft Loop
OneNote
What started as one strange token request turned into a Microsoft 365 account takeover issue across six production Android apps.
The Technical
Microsoft 365 apps on Android need a way to share account access.
This is not the bug; it’s how the app is supposed to work. If you’re already signed into Word, Microsoft doesn’t want you to sign in again every time another Microsoft app needs the same account.
The important part is the handoff.
When an app asks for account tokens, Microsoft needs to check who is asking. A trusted Microsoft app should be allowed through. A random app installed on the same phone? That’s a no.
So we made the request from an app that shouldn’t have been trusted, and the Microsoft app returned tokens anyway. Something in the authorization path was not behaving the way a production app should behave.
Debug Mode in Production?
The reason for the bug is very simple. Someone left debug mode enabled in production:
setIsDebugMode(true)
This was enabled across all six apps. However, in apps like Teams, it was disabled. Clearly someone made a mistake.
That alone is not always enough to prove impact. Sometimes a debug flag only affects logging or test output. Sometimes it looks bad but does not change anything meaningful.
This one changed the behavior around account token sharing.
With debug mode enabled, the protection that should have blocked untrusted apps from receiving tokens was skipped. A separate app on the device only had to make the right request. It did not need the user’s password or to display a login page, or a request for Android permissions that would make the user suspicious.
So the finding moved from “debug flag in production” to “account tokens returned to an unauthorized app.”
Copy & Paste
The next question was scope, was this an isolated issue or more? Every experienced researcher knows - where there’s one bug, there’s many more.
So we built that into our AI engine and it immediately flagged this finding for variant analysis.
So we tested another Microsoft app. Same result. Then we tested another. Vulnerable again.
Now the story changed even more: it wasn’t just a single app with a bad flag; it was the same pattern across Microsoft 365 Android apps. One simple mistake impacted apps totaling billions of downloads.
Tokens Allowed Extended Account Access
A token is not just a random string; it’s what lets an app act as the signed-in account for the access that token carries. The tokens were special “FOCI” tokens. FOCI tokens are specifically dangerous because they can be reused and refreshed over a long period of time, without anyone noticing.
The traffic and logs look exactly like normal.
Any attacker-controlled app could gain full access to Microsoft account data exposed through the affected app context. This could be emails, files, documents, communications, and calendar information.
It could also allow the attacker to read sensitive information, modify documents, or send communications through the access exposed by the token.
Responsible Disclosure
We reported the issues to MSRC, and all of them were confirmed and fixed, and assigned different severities ratings for the same bug across the different apps.
The important part is this: a development setting reached production in several major apps and changed the behavior of a system protecting account access.
That should be hard to do by accident. Here, it was not hard enough.
This AI-guided research was completed as part of the Enclave Fellowship Program with researcher Ofek Levin.
CVE-2026-41100 Microsoft 365 Copilot for Android Spoofing Vulnerability Published: May 12, 2026 | CVSS: 4.4 (Medium) | CWE-284: Improper Access Control https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-41100
CVE-2026-41101 Word for Android Spoofing Vulnerability Published: May 12, 2026 | CVSS: 7.1 (High) | CWE-284: Improper Access Control https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-41101
CVE-2026-41102 PowerPoint for Android Spoofing Vulnerability Published: May 12, 2026 | CVSS: 7.1 (High)| CWE-284: Improper Access Control https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-41102
CVE-2026-41102 Microsoft Office Spoofing Vulnerability Published: May 12, 2026 | CVSS: 7.7 (Important)| CWE-284: Improper Access Control https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-41102
From research to review
Want this level of analysis on your code?
Enclave reviews real pull requests with codebase context, traces findings across files, and filters for what is exploitable in your environment.