News
Microsoft 365 Android Coding Error Put Account Tokens at Risk
A coding error in several Microsoft 365 Android apps could have allowed a malicious app on the same device to silently obtain account tokens and act as the signed-in user, according to new research from Enclave.
The issue, which security firm Enclave calls "FlagLeft," affected Android versions of Word, PowerPoint, Excel, Microsoft 365 Copilot, Microsoft Loop and OneNote. Microsoft has patched the vulnerabilities, but the finding is another reminder for enterprise IT teams that Microsoft 365 security is increasingly tied to identity, token handling and mobile endpoint controls.
"Our research found that any app installed on the same Android device could silently access a Microsoft 365 account's token," Enclave said in its report. "It could then act as the signed-in account (read email, open files, access documents, send messages, view calendars), without the user's knowledge."
The vulnerability stemmed from a development setting that Enclave said was left enabled in production releases of the affected Microsoft apps. The setting, identified in the report as setIsDebugMode(true), disabled a security check that should have verified whether the app requesting a token was trusted.
That check matters because Microsoft 365 apps on Android share account access to reduce repeated sign-ins. If a user signs into Word, for example, Microsoft can allow other Microsoft apps to use that authentication state. The process depends on a secure handoff that confirms the requesting app is legitimate. According to the security firm, this was a major error on Microsoft's part.
.
"When an app asks for account tokens, Microsoft needs to check who is asking," Enclave wrote. "A trusted Microsoft app should be allowed through. A random app installed on the same phone? That's a no."
Researchers said they created a test app that could pull Microsoft account tokens from the affected apps without asking for a password, showing a login screen or triggering obvious Android permission warnings.
Those tokens (known as FOCI tokens) can be especially useful to attackers because they can be refreshed and reused. In practice, that could let a harmful app keep access to a Microsoft 365 account without being detected.
Enclave reported the flaws to the Microsoft Security Response Center, and Microsoft has since fixed them. For enterprise IT, make sure affected Microsoft 365 Android apps are updated across managed and unmanaged Android devices. That includes Word, PowerPoint, Excel, Microsoft 365 Copilot, Loop and OneNote.
Mobile app risk is not limited to malware or sideloaded apps, said Enclave. A single production flag in a trusted enterprise app can undermine the security model around authentication tokens.
"The important part is this: a development setting reached production in several major apps and changed the behavior of a system protecting account access," Enclave said. "That should be hard to do by accident. Here, it was not hard enough."
The timing also gives defenders another reason to pay attention. The Enclave findings mark the second major Microsoft 365 security concern to surface in the past couple of weeks, following the FBI's warning about Kali365, a phishing-as-a-service platform that targets Microsoft 365 environments by stealing OAuth access tokens and bypassing MFA.
The Kali365 warning focused on attacker abuse of Microsoft's legitimate OAuth device code flow, while the Enclave research centers on a coding error inside Microsoft's own Android apps. The paths are different, but the lesson for enterprise IT is similar: Microsoft 365 account security increasingly depends on protecting tokens, not just passwords.
For defenders, that means patching mobile apps, reviewing conditional access policies, watching for unusual token use and treating mobile endpoints as part of the Microsoft 365 identity perimeter.