Researchers at Enclave recently identified a vulnerability in several Microsoft 365 Android applications that could allow unauthorized parties to access user authentication tokens. The issue originated from a debug setting inadvertently left active in production releases of Excel, Word, PowerPoint, OneNote, Loop, and Microsoft 365 Copilot.
These applications rely on a shared software development kit (SDK) to handle authentication handoffs, a feature designed to let users move seamlessly between trusted Microsoft apps without logging in repeatedly. By sharing a trust relationship, the apps create a smoother user experience.
However, Enclave chief product officer Yanir Tsarimi noted that the active test setting effectively disabled a core security control within this handoff process. Normally, the control verifies the trust status of any application requesting an authentication token. With the check bypassed, any unverified application installed on the same device could request and receive Microsoft authentication credentials.
Impact of exposed FOCI tokens
The credentials exposed by this vulnerability were FOCI (Family of Client IDs) tokens. These tokens are highly privileged and designed for long-term use, meaning they can be reused and refreshed over extended periods without triggering anomalous traffic logs.
A malicious actor could leverage this vulnerability by deploying an Android application containing a simple routine to request tokens silently from an affected Microsoft app. Because the vulnerable application would return the token without validating the requester, the unauthorized party could exfiltrate the credential. Once obtained, the FOCI token would grant access to the user's broader Microsoft 365 environment, allowing the unauthorized party to read or send emails, view Teams messages, and open files.
Remediation and zero-trust validation
Enclave disclosed the findings to Microsoft, which has since released updates to address the vulnerability across all affected applications. The flaws are tracked under CVE-2026-41100, CVE-2026-41101, CVE-2026-41102, and CVE-2026-42832. Organizations managing Android devices should verify that their users have updated to the patched versions of these applications.
This vulnerability emphasizes the critical role of secure token management in interconnected application environments. Ted Miracco, CEO of Approov, observes that back-end systems frequently treat authentication tokens as definitive proof of trust. If a token leaves its intended security boundary, unauthorized parties can interact with downstream services as if they were a legitimate user or application.
To mitigate these risks, organizations must evaluate both how credentials are issued and whether back-end services continuously verify the integrity and authenticity of the client device presenting them. Implementing a true zero-trust architecture requires assuming the local device environment may be compromised. Developers building mobile applications should maintain this assumption throughout the engineering process, ensuring that sensitive tokens and API keys are protected against extraction via memory dumps or unauthorized inter-process communication.