Microsoft 365 Android Apps Exposed to Silent Account Takeover via Forgotten Debug Flag
A critical vulnerability, dubbed FlagLeft, allowed any third-party Android app to silently steal Microsoft account tokens from six major Microsoft 365 apps Word, PowerPoint, Excel, Microsoft 365 Copilot, Loop, and OneNote without user interaction or consent. The flaw stemmed from a single debug flag, setIsDebugMode(true), mistakenly left active in production code, disabling a critical authorization check in Microsoft’s shared SDK.
The issue bypassed the Family of Client IDs (FOCI) token-sharing mechanism, which normally enables seamless single sign-on across Microsoft apps. With the debug flag enabled, any co-installed app could request and receive long-lived, refreshable tokens, granting attackers access to emails, OneDrive files, calendar data, and more all under the victim’s identity. Microsoft Teams was unaffected, as its debug flag was correctly disabled.
Discovered by researchers at Enclave and Ofek Levin, the vulnerability exposed billions of Android users globally, with no visible indicators of compromise. Microsoft assigned multiple CVEs, including CVE-2026-41100 (Copilot, CVSS 4.4), CVE-2026-41101 (Word, CVSS 7.1), CVE-2026-41102 (PowerPoint, CVSS 7.1), and CVE-2026-41099 (Office for Android, CVSS 7.7), all classified under CWE-284: Improper Access Control.
Microsoft patched all affected apps on May 12, 2026, requiring users to update to the latest versions. Enterprise administrators were advised to verify deployments and monitor OAuth token activity for anomalies. The incident highlighted how a single overlooked development artifact could undermine an entire authentication framework, with a shared SDK amplifying the risk across multiple high-profile apps. Enclave’s AI-assisted analysis played a key role in mapping the vulnerability’s full scope.
Source: https://cybersecuritynews.com/microsoft-365-android-apps-account-takeover-vulnerability/
Microsoft Security cybersecurity rating report: https://www.rankiteo.com/company/microsoft-security
"id": "MIC1780475036",
"linkid": "microsoft-security",
"type": "Vulnerability",
"date": "5/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Billions of Android users '
'globally',
'industry': 'Technology/Software',
'location': 'Global',
'name': 'Microsoft',
'size': 'Enterprise',
'type': 'Corporation'}],
'attack_vector': 'Third-party Android app co-installation',
'customer_advisories': 'Users required to update affected Microsoft 365 '
'Android apps to the latest versions.',
'data_breach': {'personally_identifiable_information': 'Yes (account data, '
'emails, files)',
'sensitivity_of_data': 'High (personally identifiable '
'information, corporate data)',
'type_of_data_compromised': 'Authentication tokens, emails, '
'files, calendar data'},
'date_resolved': '2026-05-12',
'description': 'A critical vulnerability, dubbed *FlagLeft*, allowed any '
'third-party Android app to silently steal Microsoft account '
'tokens from six major Microsoft 365 apps (Word, PowerPoint, '
'Excel, Microsoft 365 Copilot, Loop, and OneNote) without user '
'interaction or consent. The flaw stemmed from a single debug '
'flag, `setIsDebugMode(true)`, mistakenly left active in '
'production code, disabling a critical authorization check in '
'Microsoft’s shared SDK. The issue bypassed the *Family of '
'Client IDs (FOCI)* token-sharing mechanism, enabling '
'attackers to access emails, OneDrive files, calendar data, '
'and more under the victim’s identity.',
'impact': {'brand_reputation_impact': 'High (global exposure, no visible '
'indicators of compromise)',
'data_compromised': 'Microsoft account tokens, emails, OneDrive '
'files, calendar data',
'identity_theft_risk': 'High (account takeover, access to PII)',
'operational_impact': 'Potential unauthorized access to sensitive '
'data and accounts',
'systems_affected': 'Microsoft 365 Android apps (Word, PowerPoint, '
'Excel, Copilot, Loop, OneNote)'},
'investigation_status': 'Resolved',
'lessons_learned': 'A single overlooked development artifact (debug flag) can '
'undermine an entire authentication framework, with shared '
'SDKs amplifying risk across multiple high-profile apps.',
'post_incident_analysis': {'corrective_actions': 'Disabled debug flag, '
'released patches, advised '
'monitoring of OAuth token '
'activity, and improved code '
'review processes.',
'root_causes': 'Debug flag '
'(`setIsDebugMode(true)`) '
'mistakenly left active in '
'production code, disabling '
'critical authorization checks in '
'Microsoft’s shared SDK.'},
'recommendations': 'Verify app deployments, monitor OAuth token activity, '
'enforce strict code review processes for debug flags in '
'production, and leverage AI-assisted analysis for '
'vulnerability mapping.',
'references': [{'source': 'Enclave and Ofek Levin Research'}],
'response': {'communication_strategy': 'Public disclosure of vulnerability '
'and patch details',
'containment_measures': 'Patch released for all affected apps',
'enhanced_monitoring': 'Monitoring OAuth token activity for '
'anomalies',
'recovery_measures': 'Enterprise administrators advised to '
'verify deployments and monitor OAuth token '
'activity',
'remediation_measures': 'Disabled debug flag in production code, '
'required app updates',
'third_party_assistance': 'Enclave, Ofek Levin (researchers)'},
'stakeholder_advisories': 'Enterprise administrators advised to verify '
'deployments and monitor OAuth token activity for '
'anomalies.',
'title': 'Microsoft 365 Android Apps Exposed to Silent Account Takeover via '
'Forgotten Debug Flag',
'type': 'Vulnerability Exploitation',
'vulnerability_exploited': 'CVE-2026-41100, CVE-2026-41101, CVE-2026-41102, '
'CVE-2026-41099 (CWE-284: Improper Access Control)'}