A debug setting accidentally left enabled in production releases of six Microsoft Android apps — Word, Excel, PowerPoint, OneNote, Loop, and 365 Copilot — exposed users to potential account takeover at massive scale. Researchers at Enclave found the flaw disabled a security check that prevents untrusted apps from grabbing Microsoft authentication tokens.
Any malicious Android app could silently request and receive login tokens, giving attackers access to emails, Teams messages, and files. Worse, the stolen tokens were long-lived FOCI tokens that blend in with normal traffic, making detection nearly impossible. Microsoft has since patched all six apps across CVEs CVE-2026-41100 through CVE-2026-42832.
Source: Dark Reading