Informa TechTarget | SearchSecurity Cybersecurity Dive InformationWeek Channel Dive Explore our brands An Informa TechTarget Publication Dark Reading Resource Library Black Hat News Omdia Cybersecurity Advertise Newsletter Sign-Up Newsletter Sign-Up Cybersecurity Topics Related Topics Application Security Cybersecurity Careers Cloud Security Cyber Risk Cyberattacks & Data Breaches Cybersecurity Analytics Cybersecurity Operations Data Privacy Endpoint Security ICS/OT Security Identity & Access Mgmt Security Insider Threats IoT Mobile Security Perimeter Physical Security Remote Workforce Threat Intelligence Vulnerabilities & Threats Recent in Cybersecurity Topics Cyber Risk Cyber Insurance Rates Are Dropping, but Exclusions Widen Cyber Insurance Rates Are Dropping, but Exclusions Widen by Rob Wright Jun 3, 2026 4 Min Read Application Security Coding Gaffe Exposes Microsoft 365 Accounts to Widespread Takeover Coding Gaffe Exposes Microsoft 365 Accounts to Widespread Takeover by Elizabeth Montalbano Jun 3, 2026 4 Min Read World Related Topics DR Global Middle East & Africa Asia Pacific Latin America See All The Edge DR Technology Events Related Topics Upcoming Events Podcasts Webinars SEE ALL Resources Related Topics Resource Library White Papers Reports Webinars Newsletters Podcasts Heard It From a CISO Reporters' Notebook Dark Reading's 20th Videos Dark Reading Polls Partner Perspectives Meet the Editors Advertise With Us About Us Dark Reading Resource Library Application Security Endpoint Security Mobile Security Vulnerabilities & Threats News Coding Gaffe Exposes Microsoft 365 Accounts to Widespread Takeover A disabled security setting meant to protect authentication across Android versions of key apps like Word, PowerPoint, and Excel paved the way for attackers to steal logins and data. Elizabeth Montalbano , Contributing Writer June 3, 2026 4 Min Read Source: Zoonar GmbH via Alamy Stock Photo A coding mistake in several Microsoft 365 Android applications resulted in the exposure of user accounts to compromise at massive scale, demonstrating once again how dropping the ball on securing authentication tokens can undermine an entire trust model. Researchers at Enclave discovered a vulnerability in a debug setting that was mistakenly left enabled in production releases of multiple Microsoft Android apps, including Excel, Word, PowerPoint, OneNote, Loop, and Microsoft 365 Copilot, according to a blog post published Tuesday. "A test setting was left turned on in six Microsoft apps on Android phones: Word, OneNote, PowerPoint, Excel, Loop and 365 Copilot," Enclave co-founder and chief product officer Yanir Tsarimi explains to Dark Reading. "That setting was meant to stop other apps from grabbing your login." The setting's disengagement effectively disabled a security control responsible for ensuring that only trusted Microsoft applications could receive authentication tokens from other Microsoft apps on the device. This feature allows users to log in across the apps, which makes sense if there is a secure handoff in the trust relationship of these apps. Related: Malicious Notifications Could Trick Google Gemini Users Cross-Application Insecurity from Auth Tokens According to Enclave, not only was the necessary authorization check protecting this exchange of data disabled in the Android apps, but the access to data also could be replicated across multiple Microsoft apps because the vulnerable code was inside a shared Microsoft software development kit (SDK). With the protection bypassed, any Android app capable of requesting a token could potentially obtain Microsoft authentication credentials, Tsarimi explains. This set up an exploit scenario in which "any other app on your phone could ask for your Microsoft login and get it," he says. "With all six, an attacker could read your email messages. With some, they could also send email messages, read your Teams messages, or open your files." The issue demonstrates how "one tiny change" in the development process "can cause a big security problem," Tsarimi notes. "Here, flipping one setting from off to on was enough," he says, adding that development teams "can't let small mistakes like that slip by." Unfortunately, these things happen "more often than people think," he tells Dark Reading. "Keeping software safe is hard," Tsarimi says. "In most apps this setting wouldn't matter. In these apps it really did." A Simple Exploit to Nab Microsoft Credentials For an attacker to exploit the situation would be fairly straightforward, according to Enclave. All they would have to do is distribute or update an Android app containing a small token-requesting routine that silently requests tokens from an affected Microsoft application. Related: Microsoft's Zero-Day Legal Threats Spark Backlash The vulnerable app would return the token without validating the requester's trust status. The attacker could then exfiltrate the token, and use it to access resources across other Microsoft 365 apps . Further, what made the scenario so dangerous is that the exposed tokens were special "FOCI" tokens, which can be reused and refreshed over a long period of time without anyone noticing, according to Tsarimi. Moreover, the traffic and logs related to the activity would appear "exactly like normal," he wrote in the post. Enclave responsibly disclosed the issue to Microsoft, which has since issued updates to fix and multiple CVEs for all of the flaws, which are tracked as CVE-2026-41100 , CVE-2026-41101 , and CVE-2026-41102 , and CVE-2026-42832 . Microsoft did not immediately provide requested comments to Dark Reading. Broader Security Implications for Clean Coding The issue, while fixed, demonstrates not just the importance of clean coding, but also how ensuring the security of authentication tokens has become absolutely essential across interconnected Web-based applications and systems. Related: Agentic AI Isn't Risky; the Way Orgs Deploy It Is "Authentication tokens are too often treated as proof of trust by back-end systems, so any weakness that allows those tokens to be intercepted and reused will undermine the security assumptions protecting downstream services and data," says Ted Miracco, CEO of Approov. Incidents like this, then, highlight the importance of validating how trustworthy an app and device are in combination with the user, Miracco says. That's because once tokens leave their intended security boundary, attackers may be able to interact with back-end systems as though they were legitimate users or applications. "Organizations should be evaluating not only how credentials are issued, but also whether back-end services can continuously verify the integrity and authenticity of the client device and application presenting them for a true zero trust solution," he advises. Those developing mobile devices also should do so under the assumption that the device they run on is already infected, keeping security top of mind through the process, Miracco tells Dark Reading. "Never hardcode API keys, secret tokens, or sensitive credentials within the application binary where a privileged attacker can extract them via memory dumps." About the Author Elizabeth Montalbano Contributing Writer Elizabeth Montalbano is freelance writer, editor, and journalist with 30 years of professional experience and a master's degree from Arizona State University. Her areas of expertise include enterprise technology, cybersecurity, business, and culture. During her long career, Elizabeth has lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City. She specializes in news coverage and analysis, using her years of experience to look at the current state of cybersecurity with a critical gaze. She currently resides in a village on the southwest coast of Portugal, where in her free time she enjoys surfing, hiking with her dogs, growing plants, and playing and performing as a singer and musician. See more from Elizabeth Montalbano Want more Dark Reading stories in your Google search results? Add Us Now More Insights Industry Reports How Organizations Are Managing Incident Response How Enterprises Are Developing Secure Applications Inside RSAC 2026: security leaders reveal the risks redefining your defense strategy Essential News & Insights from Black Hat USA 2025 How Enterprises Are Harnessing Emerging Technologies in Cybersecurity Access More Research Webinars The Frontier AI Era: Why Cybersecurity Must Move at Machine Speed Build vs. Buy: The Hidden Cost of Building Your Own AI Security Stack Defending in the Shadow Era: When the CVE Feed Goes Dark Building SecOps That Make the Most of Every Dollar AI-Powered Credential Security: Intelligence Without Exposure More Webinars Editor's Choice Cybersecurity Operations 20 Leaders Who Built the CISO Era: 2 Decades of Change 20 Leaders Who Built the CISO Era: 2 Decades of Change by Dark Reading Editorial Team May 12, 2026 41 Min Read Application Security It's Patch Tuesday for Microsoft & Not a Zero-Day In Sight It's Patch Tuesday for Microsoft & Not a Zero-Day In Sight by Jai Vijayan May 12, 2026 5 Min Read Want more Dark Reading stories in your Google search results? Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. Subscribe Webinars The Frontier AI Era: Why Cybersecurity Must Move at Machine Speed Tuesday, June 23, 2026 1:00 PM EDT Build vs. Buy: The Hidden Cost of Building Your Own AI Security Stack Thurs, June 25, 2026, at 1pm EST Defending in the Shadow Era: When the CVE Feed Goes Dark Tues, June 16, 2026 at 1pm EST Building SecOps That Make the Most of Every Dollar Thurs, July 9, 2026 at 1pm EST AI-Powered Credential Security: Intelligence Without Exposure Wed, June 17, 2026, at 1pm EST More Webinars Black Hat USA | Mandalay Bay, Las Vegas The premier cybersecurity event of the year returns to Mandalay Bay w