A hidden development setting left enabled in production versions of multiple Microsoft 365 Android applications allowed other installed apps to silently steal authentication tokens, potentially granting full access to user data without passwords or prompts.
A critical security flaw affecting several Microsoft 365 mobile applications for Android has been disclosed, revealing that a leftover debug configuration bypassed core protections meant to restrict sensitive account tokens to trusted Microsoft software.
The vulnerability affected widely used apps including Word, Excel, PowerPoint, Microsoft 365 Copilot, Microsoft Loop, and OneNote—software with billions of combined downloads. Microsoft has since released updates addressing the issue and is urging users to upgrade immediately.
How the Android Token Leak Worked
The issue stemmed from a development flag mistakenly left active in production builds of a shared Microsoft authentication component. This flag effectively disabled checks that ensure only verified Microsoft applications can request and receive user tokens.
Security researchers from Enclave, who identified the flaw and dubbed it “FlagLeft,” found that any third-party app already installed on the same Android device could request authentication tokens belonging to a signed-in Microsoft account.
No user interaction, permission approval, or visible login prompt was required.
Once obtained, these tokens could be used to access email, calendars, cloud files, and messaging features tied to the user’s Microsoft account, effectively enabling full account impersonation from within another app.
Microsoft 365 Apps and the Scope of Exposure
The affected applications included core productivity tools used globally:
- Microsoft Word
- Microsoft Excel
- Microsoft PowerPoint
- Microsoft 365 Copilot
- Microsoft Loop
- Microsoft OneNote
These apps share a single sign-on system designed to simplify authentication across Microsoft services. However, the flawed configuration meant the security boundary separating trusted Microsoft apps from other installed apps was unintentionally removed.
Notably, Microsoft Teams was not affected, suggesting the issue was isolated to a shared software development kit used by the impacted applications.
FOCI Tokens and Why the Risk Was Serious
The exposed credentials were identified as FOCI (Family of Client IDs) refresh tokens, which Microsoft uses to enable seamless authentication across its ecosystem.
These tokens are particularly sensitive because they:
- Allow long-term access without repeated login prompts
- Can be refreshed to maintain ongoing sessions
- Often appear as normal activity in security logs
As a result, unauthorized access could persist without obvious signs of compromise, making detection difficult for both users and security teams.
Security Research and Exploit Demonstration
Researchers demonstrated that a malicious application installed on the same device could silently extract tokens and use them to access Microsoft account data. In practical terms, this means an attacker would only need to trick a user into installing a harmful app—no network exploit or phishing login page required.
Microsoft has classified the issue as a “local spoofing” vulnerability, indicating that the attack relies on a malicious application already present on the device rather than remote exploitation.
The flaw was traced to a single misconfigured debug setting in shared authentication code, which propagated across multiple applications.
Microsoft Response and Security Updates
Microsoft issued patches addressing the vulnerability in mid-May 2026, assigning multiple CVEs to affected applications, including:
- CVE-2026-41100 (Microsoft 365 Copilot)
- CVE-2026-41101 (Word)
- CVE-2026-41102 (PowerPoint)
- CVE-2026-42832 (Excel)
Updated versions distributed through the Google Play Store remove the debug configuration and restore proper token validation checks.
Security advisories indicate that patched builds for Word and related apps are version 16.0.19822.20190 or later.
Security Guidance for Android Users and Enterprises
Microsoft recommends that all users immediately update affected apps via the Google Play Store. Organizations managing corporate mobile devices should deploy updates through mobile device management (MDM) systems and verify compliance across endpoints.
Security professionals also warn that updating alone may not eliminate all risk. Because refresh tokens can remain valid after a patch, organizations should consider:
- Revoking active sessions and refresh tokens
- Forcing re-authentication across affected accounts
- Reviewing device-level application integrity for suspicious apps
These steps help ensure that any tokens potentially exposed before patching are no longer usable.
A Reminder of Mobile Security Risks in Enterprise Environments
The incident highlights a growing challenge in mobile cybersecurity: even trusted enterprise applications can become attack vectors when development configurations are mistakenly left enabled in production builds.
It also reinforces concerns around mobile ecosystems where multiple apps share authentication frameworks, increasing the potential blast radius of a single configuration error.
As enterprises continue to rely heavily on mobile productivity tools, maintaining strict build hygiene and runtime security validation is becoming as important as traditional vulnerability patching.
