A critical vulnerability found in six Microsoft 365 Android applications could have put billions of downloads at risk.
These security flaws were discovered by Enclave, an AI-driven tool designed for identifying exploitable bugs, and were shared in advance with SecurityWeek. The core issue stemmed from a single debug flag that was accidentally left active in the production code of several apps, including Word, PowerPoint, Excel, Microsoft 365 Copilot, Microsoft Loop, and OneNote for Android. Essentially, debug mode was enabled in these apps via a line like ‘set IsDebugMode(true),’ but other Microsoft applications like Teams did not have this setting enabled and were therefore not vulnerable.
Debug flags can serve different purposes, from logging to testing outputs. According to Enclave, this particular setting altered how account access tokens were shared. When debug mode was on, the security checks meant to prevent untrusted apps from receiving tokens were bypassed.
Microsoft intended these authorized apps on the same device to share access tokens seamlessly without frequent user logins. However, this feature was strictly intended to operate only among Microsoft’s own apps, not any third-party or malicious applications. The debug flag removed these restrictions, causing the apps to grant access tokens to any requesting app on the device.
Exploiting this vulnerability would be straightforward for attackers. They could create a simple script or integrate their exploit code into other Android applications. The main challenge lies in distributing these malicious apps to a large number of devices.
Yanir Tsarimi, co-founder and CPO at Enclave, explained that the malicious code might be as short as 15 lines, designed merely to request and obtain access tokens. He emphasized how deceptively simple the attack appears due to its reliance on an unintended feature.
The real problem was not the sharing of access tokens itself, but rather the oversight that allowed it to happen outside approved channels. This single line change enabled wide-scale impact across apps that collectively account for billions of downloads.
Tsarimi outlined a possible exploitation scenario: imagine a popular mobile game developer issues an automatic update to thousands of users. If malicious exploit code is embedded in this update, once installed, it could silently request access tokens from any Microsoft apps present on a user’s device. The attacker then collects these tokens without alerting the user.
Victims would notice nothing unusual during this process. Tsarimi said that attackers could use these stolen tokens to act as legitimate users within their Microsoft accounts, potentially gaining unauthorized access to data or performing actions like sending emails or modifying documents.
Enclave confirmed that all six affected Microsoft Android apps had this issue. The stolen tokens were classified as Microsoft FOCI tokens, which can be refreshed and reused over extended periods—making long-term abuse difficult to detect.
Any rogue app with access to these tokens could tap into sensitive user information such as emails, files, documents, communications, and calendar entries. Trojans could read private data, alter documents, or even send messages through compromised accounts.
Microsoft acknowledged the vulnerabilities after being notified by Enclave and addressed them promptly. Patches issued through Microsoft’s Patch Tuesday mechanism covered three main issues (CVE-2026-41100, -41101, and -41102) on May 12. PowerPoint for Android received its fix via a separate patched build in the Google Play Store on the same date.
Provided users keep their systems updated, they should now be protected against these vulnerabilities.
Enclave concluded, “We reported the problems to MSRC, and all were confirmed and fixed. The takeaway here is that a development setting reached production in multiple major apps and changed the security behavior around account access. Ideally, this should not happen by accident—but it did, highlighting a gap in safeguards.”
Related: New BTMOB Android Malware Enables Full Device Takeover
Related: Critical Remote Code Execution Vulnerability Patched in Android
Related: Google Adjusts Bug Bounties: Chrome Payouts Drop as Android Rewards Rise Amid AI Surge
Related: Microsoft Finds Vulnerability Exposing Millions of Android Crypto Wallet Users
