Microsoft has released fixes for four spoofing vulnerabilities in the Android apps Word, PowerPoint, Excel, and Microsoft 365 Copilot that allowed any app on the device to obtain a user’s authorization token without a password, sign-in screen, or permission prompt. According to researchers from Enclave, the root cause was a debug flag left enabled in production builds. Organizations using Microsoft 365 on Android must immediately update the apps via Google Play and consider revoking refresh tokens for potentially compromised devices.
Technical details of the vulnerability
Microsoft 365 apps on Android use a single sign-on (SSO) mechanism: signing in to one app automatically authorizes the others. The transfer of tokens between apps is protected by a check that allows exchange only with trusted Microsoft apps. As reported by Enclave researchers Yanir Tsarimi and Ofek Levin, the common Microsoft SDK contained a call to setIsDebugMode(true), which disabled this check in production builds. Since the vulnerable code was located in a shared SDK, the same bug appeared in multiple applications.
The tokens accessible through this vulnerability are so-called FOCI tokens (Family of Client IDs refresh tokens), which Microsoft uses for SSO between its apps. These refresh tokens are long-lived, can be used multiple times, and traffic generated when they are used appears in logs as normal activity. There are no visible signs of compromise for the user.
Researchers from Enclave created a working proof-of-concept exploit that, via a third-party app without verification, extracted tokens and used them to read the victim’s email.
Assigned CVEs and severity ratings
On May 12, Microsoft published four security advisories, classifying the vulnerabilities as spoofing with broken access control (CWE-284):
- CVE-2026-41100 — Microsoft 365 Copilot for Android, CVSS 4.4
- CVE-2026-41101 — Microsoft Word for Android, CVSS 7.1
- CVE-2026-41102 — Microsoft PowerPoint for Android, CVSS 7.1
- CVE-2026-42832 — Microsoft Excel for Android, CVSS 7.7
The fixed version of Word for Android is 16.0.19822.20190; all earlier builds are vulnerable. The other apps were updated through the same releases in Google Play. According to Enclave, a similar issue also affected Microsoft Loop and OneNote, but separate CVEs for them were not assigned in the May release. None of the vulnerabilities has been added to the CISA KEV catalog, and no public evidence of exploitation prior to the patch has been recorded.
Impact assessment
Microsoft classifies the vulnerabilities as local spoofing, which implies the presence of a malicious app on the victim’s device. This narrows the attack vector compared with remote exploitation, but for corporate Android fleets the risk remains significant. The attack scenario is realistic: a user installs an app from a questionable source or even from Google Play (malicious apps periodically pass moderation), and it silently gains full access to corporate email, files, calendar, and the ability to send messages on behalf of the victim.
The nature of FOCI tokens is particularly dangerous: they survive app updates and remain valid after the patch is installed. This means that updating alone does not invalidate tokens that may have been intercepted earlier.
Practical recommendations
- Update the apps: install the latest versions of Word, PowerPoint, Excel, Microsoft 365 Copilot, Loop, and OneNote from Google Play. For Word, make sure the version is at least 16.0.19822.20190.
- Enforce updates via MDM: security teams managing corporate Android devices should distribute updates through the mobile device management system and confirm that there are no vulnerable builds on devices.
- Revoke refresh tokens: for accounts on devices where vulnerable versions of the apps ran alongside untrusted applications, it is recommended to revoke refresh tokens and force reauthentication. This can be done via Azure AD / Entra ID.
- Audit installed apps: check devices for apps installed from unofficial sources during the period before the patch was applied.
The FlagLeft vulnerability is a clear example of how a single line of debug code in a shared SDK can cascade into compromising an entire family of applications. The top priority is to update all six affected Microsoft 365 apps on Android and revoke FOCI tokens for devices that may have been exposed before the patch was released.
