Coding Gaffe Exposes Microsoft 365 Accounts to Widespread Takeover
Dark ReadingArchived Jun 03, 2026✓ Full text saved
A disabled security setting meant to protect authentication across Android versions of key apps like Word, PowerPoint, and Excel paved the way for attackers to steal logins and data.
Full text archived locally
✦ AI Summary· Claude Sonnet
APPLICATION SECURITY
ENDPOINT SECURITY
MOBILE SECURITY
VULNERABILITIES & THREATS
NEWS
Coding Gaffe Exposes Microsoft 365 Accounts to Widespread Takeover
A disabled security setting meant to protect authentication across Android versions of key apps like Word, PowerPoint, and Excel paved the way for attackers to steal logins and data.
Elizabeth Montalbano,Contributing Writer
June 3, 2026
4 Min Read
SOURCE: ZOONAR GMBH VIA ALAMY STOCK PHOTO
A coding mistake in several Microsoft 365 Android applications resulted in the exposure of user accounts to compromise at massive scale, demonstrating once again how dropping the ball on securing authentication tokens can undermine an entire trust model.
Researchers at Enclave discovered a vulnerability in a debug setting that was mistakenly left enabled in production releases of multiple Microsoft Android apps, including Excel, Word, PowerPoint, OneNote, Loop, and Microsoft 365 Copilot, according to a blog post published Tuesday.
"A test setting was left turned on in six Microsoft apps on Android phones: Word, OneNote, PowerPoint, Excel, Loop and 365 Copilot," Enclave co-founder and chief product officer Yanir Tsarimi explains to Dark Reading. "That setting was meant to stop other apps from grabbing your login."
The setting's disengagement effectively disabled a security control responsible for ensuring that only trusted Microsoft applications could receive authentication tokens from other Microsoft apps on the device. This feature allows users to log in across the apps, which makes sense if there is a secure handoff in the trust relationship of these apps.
Related:Malicious Notifications Could Trick Google Gemini Users
Cross-Application Insecurity from Auth Tokens
According to Enclave, not only was the necessary authorization check protecting this exchange of data disabled in the Android apps, but the access to data also could be replicated across multiple Microsoft apps because the vulnerable code was inside a shared Microsoft software development kit (SDK).
With the protection bypassed, any Android app capable of requesting a token could potentially obtain Microsoft authentication credentials, Tsarimi explains.
This set up an exploit scenario in which "any other app on your phone could ask for your Microsoft login and get it," he says. "With all six, an attacker could read your email messages. With some, they could also send email messages, read your Teams messages, or open your files."
The issue demonstrates how "one tiny change" in the development process "can cause a big security problem," Tsarimi notes. "Here, flipping one setting from off to on was enough," he says, adding that development teams "can't let small mistakes like that slip by."
Unfortunately, these things happen "more often than people think," he tells Dark Reading. "Keeping software safe is hard," Tsarimi says. "In most apps this setting wouldn't matter. In these apps it really did."
A Simple Exploit to Nab Microsoft Credentials
For an attacker to exploit the situation would be fairly straightforward, according to Enclave. All they would have to do is distribute or update an Android app containing a small token-requesting routine that silently requests tokens from an affected Microsoft application.
Related:Microsoft's Zero-Day Legal Threats Spark Backlash
The vulnerable app would return the token without validating the requester's trust status. The attacker could then exfiltrate the token, and use it to access resources across other Microsoft 365 apps.
Further, what made the scenario so dangerous is that the exposed tokens were special "FOCI" tokens, which can be reused and refreshed over a long period of time without anyone noticing, according to Tsarimi. Moreover, the traffic and logs related to the activity would appear "exactly like normal," he wrote in the post.
Enclave responsibly disclosed the issue to Microsoft, which has since issued updates to fix and multiple CVEs for all of the flaws, which are tracked as CVE-2026-41100, CVE-2026-41101, and CVE-2026-41102, and CVE-2026-42832. Microsoft did not immediately provide requested comments to Dark Reading.
Broader Security Implications for Clean Coding
The issue, while fixed, demonstrates not just the importance of clean coding, but also how ensuring the security of authentication tokens has become absolutely essential across interconnected Web-based applications and systems.
Related:Agentic AI Isn't Risky; the Way Orgs Deploy It Is
"Authentication tokens are too often treated as proof of trust by back-end systems, so any weakness that allows those tokens to be intercepted and reused will undermine the security assumptions protecting downstream services and data," says Ted Miracco, CEO of Approov.
Incidents like this, then, highlight the importance of validating how trustworthy an app and device are in combination with the user, Miracco says. That's because once tokens leave their intended security boundary, attackers may be able to interact with back-end systems as though they were legitimate users or applications.
"Organizations should be evaluating not only how credentials are issued, but also whether back-end services can continuously verify the integrity and authenticity of the client device and application presenting them for a true zero trust solution," he advises.
Those developing mobile devices also should do so under the assumption that the device they run on is already infected, keeping security top of mind through the process, Miracco tells Dark Reading. "Never hardcode API keys, secret tokens, or sensitive credentials within the application binary where a privileged attacker can extract them via memory dumps."
About the Author
Elizabeth Montalbano
Contributing Writer
Elizabeth Montalbano is freelance writer, editor, and journalist with 30 years of professional experience and a master's degree from Arizona State University. Her areas of expertise include enterprise technology, cybersecurity, business, and culture. During her long career, Elizabeth has lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City. She specializes in news coverage and analysis, using her years of experience to look at the current state of cybersecurity with a critical gaze. She currently resides in a village on the southwest coast of Portugal, where in her free time she enjoys surfing, hiking with her dogs, growing plants, and playing and performing as a singer and musician.
Want more Dark Reading stories in your Google search results?
ADD US NOW
More Insights
Industry Reports
How Organizations Are Managing Incident Response
How Enterprises Are Developing Secure Applications
Inside RSAC 2026: security leaders reveal the risks redefining your defense strategy
Essential News & Insights from Black Hat USA 2025
How Enterprises Are Harnessing Emerging Technologies in Cybersecurity
Access More Research
Webinars
The Frontier AI Era: Why Cybersecurity Must Move at Machine Speed
Build vs. Buy: The Hidden Cost of Building Your Own AI Security Stack
Defending in the Shadow Era: When the CVE Feed Goes Dark
Building SecOps That Make the Most of Every Dollar
AI-Powered Credential Security: Intelligence Without Exposure
More Webinars
You May Also Like
APPLICATION SECURITY
Supply Chain Attack Secretly Installs OpenClaw for Cline Users
by Rob Wright
FEB 19, 2026
APPLICATION SECURITY
Chinese Hackers Hijack Notepad++ Updates for 6 Months
by Jai Vijayan, Contributing Writer
FEB 02, 2026
APPLICATION SECURITY
Trump Administration Rescinds Biden-Era Software Guidance
by Alexander Culafi
JAN 29, 2026
APPLICATION SECURITY
Microsoft Fixes Exploited Zero Day in Light Patch Tuesday
by Jai Vijayan, Contributing Writer
DEC 09, 2025
Editor's Choice
CYBERSECURITY OPERATIONS
20 Leaders Who Built the CISO Era: 2 Decades of Change
byDark Reading Editorial Team
MAY 12, 2026
41 MIN READ
APPLICATION SECURITY
It's Patch Tuesday for Microsoft & Not a Zero-Day In Sight
byJai Vijayan
MAY 12, 2026
5 MIN READ
CYBERATTACKS & DATA BREACHES
Instructure Breach Exposes Schools' Vendor Dependence
byAlexander Culafi
MAY 6, 2026
4 MIN READ
Want more Dark Reading stories in your Google search results?
Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.
SUBSCRIBE
Webinars
The Frontier AI Era: Why Cybersecurity Must Move at Machine Speed
TUESDAY, JUNE 23, 2026 1:00 PM EDT
Build vs. Buy: The Hidden Cost of Building Your Own AI Security Stack
THURS, JUNE 25, 2026, AT 1PM EST
Defending in the Shadow Era: When the CVE Feed Goes Dark
TUES, JUNE 16, 2026 AT 1PM EST
Building SecOps That Make the Most of Every Dollar
THURS, JULY 9, 2026 AT 1PM EST
AI-Powered Credential Security: Intelligence Without Exposure
WED, JUNE 17, 2026, AT 1PM EST
More Webinars
BLACK HAT USA | MANDALAY BAY, LAS VEGAS
The premier cybersecurity event of the year returns to Mandalay Bay with a re‑engineered, six‑day program built to ignite innovation, push boundaries, and bring the global security community together like never before. Use code: DARKREADING to save $200 on a Briefings pass or $100 on a Business pass.
GET YOUR PASS