Discovery and Mechanism
Security researchers at Enclave uncovered a critical vulnerability in several Microsoft 365 Android applications, which they named FlagLeft. The flaw originated from a single line of code in a shared Microsoft SDK that was left active in production builds: `setIsDebugMode(true)`. This debug flag disabled the access control check designed to limit account token sharing to only trusted Microsoft apps. As a result, any other application installed on the same Android device could request and receive the signed in user’s FOCI token, a family refresh token used for Microsoft’s single sign on system.
With this token, an attacker could read emails, open files, browse calendars, and send messages as the victim without requiring a password, login screen, or any permission prompt. The activity would appear as normal traffic in logs, making detection difficult. Enclave demonstrated a proof of concept that successfully pulled tokens through an unverified third party app and used them to access email.
Affected Applications and Impact
The vulnerability impacted six Microsoft 365 Android apps with billions of combined downloads: Word, PowerPoint, Excel, Microsoft 365 Copilot, Microsoft Loop, and OneNote. Teams shipped with the same flag set to false and was not affected, which Enclave interpreted as a configuration error rather than an intentional design choice. Microsoft issued four CVEs on May 12, 2026, all classified as spoofing under improper access control (CWE-284). These include CVE-2026-41100 for Microsoft 365 Copilot (CVSS 4.4), CVE-2026-41101 for Word (CVSS 7.1), CVE-2026-41102 for PowerPoint (CVSS 7.1), and CVE-2026-42832 for Excel (CVSS 7.7). Microsoft has released patches, and users are strongly advised to update all affected Microsoft 365 Android applications immediately.
Source: The Hacker News
