Microsoft 365 Android Bug Let Any App Steal User Account Tokens

A single leftover debug flag in production builds of several Microsoft 365 Android applications disabled a critical security check, allowing any app installed on the same device to silently request and receive the signed-in user's account token. Researchers Yanir Tsarimi and Ofek Levin from security firm Enclave discovered the flaw, which they dubbed FlagLeft, embedded in a shared Microsoft SDK used across Word, PowerPoint, Excel, Microsoft 365 Copilot, Microsoft Loop, and OneNote—six applications collectively downloaded billions of times. The offending code was a single line: setIsDebugMode(true), left in the shipping build and causing the app identity verification check to be skipped entirely. No login screen, password prompt, or permission request was required; the requesting app simply received the token and gained full delegated access to the user's Microsoft 365 environment, including email, files, calendar, and messaging capabilities.

The tokens exposed were FOCI (Family of Client IDs) refresh tokens, the same long-lived credentials Microsoft uses to enable seamless single sign-on across its application suite. Because these tokens can be refreshed and reused over extended periods, traffic generated by an attacker impersonating the user would appear routine in network logs and offer no immediate signal of compromise. Enclave built a working proof-of-concept that extracted tokens through an unverified third-party application and successfully read email with them. Microsoft classified the issue as a local spoofing vulnerability under improper access control (CWE-284), noting that a malicious app already present on the device is the only prerequisite for exploitation. Users who reuse weak credentials across services are especially exposed in scenarios like this—an attacker harvesting session tokens can bypass even strong passwords, which is why a password strength check should be combined with token hygiene and device-level controls.

Microsoft issued four CVEs on May 12 to address the issue: CVE-2026-41100 for Microsoft 365 Copilot (CVSS 4.4), CVE-2026-41101 for Word (CVSS 7.1), CVE-2026-41102 for PowerPoint (CVSS 7.1), and CVE-2026-42832 for Excel (CVSS 7.7). Loop and OneNote were reported as affected but did not receive separate CVE assignments in the May batch. The patched Word build for Android is 16.0.19822.20190, with the remaining apps fixed via corresponding Google Play updates. Teams shipped with the same flag explicitly set to false, which Enclave interprets as an accidental oversight in the affected apps rather than an intentional design choice. Importantly, none of the May Patch Tuesday entries were flagged as publicly known or exploited prior to disclosure, though the long refresh window of FOCI tokens means organizations cannot rule out quiet prior compromise.

Security teams should immediately push Google Play updates across all managed Android devices, particularly for accounts that may have run builds earlier than 16.0.19822.20190, and verify version compliance through their MDM platform. Because the patch closes the vulnerability but does not retroactively invalidate tokens that may have already been harvested, administrators should review Microsoft 365 sign-in logs for anomalous locations, unusual client app IDs, and any FOCI token activity inconsistent with normal user behavior—then revoke active sessions where suspicious patterns appear. End users can run a privacy checkup on their devices to identify which installed applications hold sensitive permissions, and confirm that no unrecognized apps have appeared after installing or updating Microsoft 365. The incident is a stark reminder that session tokens are as sensitive as passwords themselves: a stolen refresh token can grant attacker access long after the original vulnerability is closed, and proactive monitoring remains essential even after patching.