CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 03, 2026

Coding Gaffe Exposes Microsoft 365 Accounts to Widespread Takeover

Dark Reading Archived Jun 03, 2026 ✓ Full text saved

A disabled security setting meant to protect authentication across Android versions of key apps like Word, PowerPoint, and Excel paved the way for attackers to steal logins and data.

Full text archived locally
✦ AI Summary · Claude Sonnet


    APPLICATION SECURITY ENDPOINT SECURITY MOBILE SECURITY VULNERABILITIES & THREATS NEWS Coding Gaffe Exposes Microsoft 365 Accounts to Widespread Takeover A disabled security setting meant to protect authentication across Android versions of key apps like Word, PowerPoint, and Excel paved the way for attackers to steal logins and data. Elizabeth Montalbano,Contributing Writer June 3, 2026 4 Min Read SOURCE: ZOONAR GMBH VIA ALAMY STOCK PHOTO A coding mistake in several Microsoft 365 Android applications resulted in the exposure of user accounts to compromise at massive scale, demonstrating once again how dropping the ball on securing authentication tokens can undermine an entire trust model. Researchers at Enclave discovered a vulnerability in a debug setting that was mistakenly left enabled in production releases of multiple Microsoft Android apps, including Excel, Word, PowerPoint, OneNote, Loop, and Microsoft 365 Copilot, according to a blog post published Tuesday.  "A test setting was left turned on in six Microsoft apps on Android phones: Word, OneNote, PowerPoint, Excel, Loop and 365 Copilot," Enclave co-founder and chief product officer Yanir Tsarimi explains to Dark Reading. "That setting was meant to stop other apps from grabbing your login." The setting's disengagement effectively disabled a security control responsible for ensuring that only trusted Microsoft applications could receive authentication tokens from other Microsoft apps on the device. This feature allows users to log in across the apps, which makes sense if there is a secure handoff in the trust relationship of these apps.  Related:Malicious Notifications Could Trick Google Gemini Users Cross-Application Insecurity from Auth Tokens According to Enclave, not only was the necessary authorization check protecting this exchange of data disabled in the Android apps, but the access to data also could be replicated across multiple Microsoft apps because the vulnerable code was inside a shared Microsoft software development kit (SDK). With the protection bypassed, any Android app capable of requesting a token could potentially obtain Microsoft authentication credentials, Tsarimi explains. This set up an exploit scenario in which "any other app on your phone could ask for your Microsoft login and get it," he says. "With all six, an attacker could read your email messages. With some, they could also send email messages, read your Teams messages, or open your files." The issue demonstrates how "one tiny change" in the development process "can cause a big security problem," Tsarimi notes. "Here, flipping one setting from off to on was enough," he says, adding that development teams "can't let small mistakes like that slip by." Unfortunately, these things happen "more often than people think," he tells Dark Reading. "Keeping software safe is hard," Tsarimi says. "In most apps this setting wouldn't matter. In these apps it really did." A Simple Exploit to Nab Microsoft Credentials For an attacker to exploit the situation would be fairly straightforward, according to Enclave. All they would have to do is distribute or update an Android app containing a small token-requesting routine that silently requests tokens from an affected Microsoft application.  Related:Microsoft's Zero-Day Legal Threats Spark Backlash The vulnerable app would return the token without validating the requester's trust status. The attacker could then exfiltrate the token, and use it to access resources across other Microsoft 365 apps. Further, what made the scenario so dangerous is that the exposed tokens were special "FOCI" tokens, which can be reused and refreshed over a long period of time without anyone noticing, according to Tsarimi. Moreover, the traffic and logs related to the activity would appear "exactly like normal," he wrote in the post. Enclave responsibly disclosed the issue to Microsoft, which has since issued updates to fix and multiple CVEs for all of the flaws, which are tracked as CVE-2026-41100, CVE-2026-41101, and CVE-2026-41102, and CVE-2026-42832. Microsoft did not immediately provide requested comments to Dark Reading. Broader Security Implications for Clean Coding The issue, while fixed, demonstrates not just the importance of clean coding, but also how ensuring the security of authentication tokens has become absolutely essential across interconnected Web-based applications and systems. Related:Agentic AI Isn't Risky; the Way Orgs Deploy It Is "Authentication tokens are too often treated as proof of trust by back-end systems, so any weakness that allows those tokens to be intercepted and reused will undermine the security assumptions protecting downstream services and data," says Ted Miracco, CEO of Approov. Incidents like this, then, highlight the importance of validating how trustworthy an app and device are in combination with the user, Miracco says. That's because once tokens leave their intended security boundary, attackers may be able to interact with back-end systems as though they were legitimate users or applications. "Organizations should be evaluating not only how credentials are issued, but also whether back-end services can continuously verify the integrity and authenticity of the client device and application presenting them for a true zero trust solution," he advises. Those developing mobile devices also should do so under the assumption that the device they run on is already infected, keeping security top of mind through the process, Miracco tells Dark Reading. "Never hardcode API keys, secret tokens, or sensitive credentials within the application binary where a privileged attacker can extract them via memory dumps."  About the Author Elizabeth Montalbano Contributing Writer Elizabeth Montalbano is freelance writer, editor, and  journalist with 30 years of professional experience and a master's degree from Arizona State University. Her areas of expertise include enterprise technology, cybersecurity, business, and culture. During her long career, Elizabeth has lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City. She specializes in news coverage and analysis, using her years of experience to look at the current state of cybersecurity with a critical gaze. She currently resides in a village on the southwest coast of Portugal, where in her free time she enjoys surfing, hiking with her dogs, growing plants, and playing and performing as a singer and musician. Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports How Organizations Are Managing Incident Response How Enterprises Are Developing Secure Applications Inside RSAC 2026: security leaders reveal the risks redefining your defense strategy Essential News & Insights from Black Hat USA 2025 How Enterprises Are Harnessing Emerging Technologies in Cybersecurity Access More Research Webinars The Frontier AI Era: Why Cybersecurity Must Move at Machine Speed Build vs. Buy: The Hidden Cost of Building Your Own AI Security Stack Defending in the Shadow Era: When the CVE Feed Goes Dark Building SecOps That Make the Most of Every Dollar AI-Powered Credential Security: Intelligence Without Exposure More Webinars You May Also Like APPLICATION SECURITY Supply Chain Attack Secretly Installs OpenClaw for Cline Users by Rob Wright FEB 19, 2026 APPLICATION SECURITY Chinese Hackers Hijack Notepad++ Updates for 6 Months by Jai Vijayan, Contributing Writer FEB 02, 2026 APPLICATION SECURITY Trump Administration Rescinds Biden-Era Software Guidance by Alexander Culafi JAN 29, 2026 APPLICATION SECURITY Microsoft Fixes Exploited Zero Day in Light Patch Tuesday by Jai Vijayan, Contributing Writer DEC 09, 2025 Editor's Choice CYBERSECURITY OPERATIONS 20 Leaders Who Built the CISO Era: 2 Decades of Change byDark Reading Editorial Team MAY 12, 2026 41 MIN READ APPLICATION SECURITY It's Patch Tuesday for Microsoft & Not a Zero-Day In Sight byJai Vijayan MAY 12, 2026 5 MIN READ CYBERATTACKS & DATA BREACHES Instructure Breach Exposes Schools' Vendor Dependence byAlexander Culafi MAY 6, 2026 4 MIN READ Want more Dark Reading stories in your Google search results? Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars The Frontier AI Era: Why Cybersecurity Must Move at Machine Speed TUESDAY, JUNE 23, 2026 1:00 PM EDT Build vs. Buy: The Hidden Cost of Building Your Own AI Security Stack THURS, JUNE 25, 2026, AT 1PM EST Defending in the Shadow Era: When the CVE Feed Goes Dark TUES, JUNE 16, 2026 AT 1PM EST Building SecOps That Make the Most of Every Dollar THURS, JULY 9, 2026 AT 1PM EST AI-Powered Credential Security: Intelligence Without Exposure WED, JUNE 17, 2026, AT 1PM EST More Webinars BLACK HAT USA | MANDALAY BAY, LAS VEGAS The premier cybersecurity event of the year returns to Mandalay Bay with a re‑engineered, six‑day program built to ignite innovation, push boundaries, and bring the global security community together like never before. Use code: DARKREADING to save $200 on a Briefings pass or $100 on a Business pass. GET YOUR PASS
    💬 Team Notes
    Article Info
    Source
    Dark Reading
    Category
    ◇ Industry News & Leadership
    Published
    Jun 03, 2026
    Archived
    Jun 03, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗