Enclave researchers have disclosed FlagLeft, a flaw in Microsoft 365 Android apps that let any local app steal account tokens because a shared Microsoft SDK shipped with setIsDebugMode(true) left in production code, skipping the check that should reject untrusted apps requesting SSO handoff. The leaked FOCI single-sign-on tokens can be refreshed and reused over long periods, with traffic that looks routine in logs. It affected Word, PowerPoint, Excel, Microsoft 365 Copilot, Loop, and OneNote (billions of downloads); Teams shipped the flag false and was unaffected. Microsoft issued four CVEs on May 12 (CVE-2026-41100/41101/41102/42832). The patched Android Word build is 16.0.19822.20190; a malicious on-device app is all it takes.