Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: foci (1 article)Clear

Microsoft 365 Android apps leak FOCI SSO tokens to any local app via leftover setIsDebugMode(true) - four CVEs, six apps

Enclave researchers have disclosed FlagLeft, a flaw in Microsoft 365 Android apps that let any local app steal account tokens because a shared Microsoft SDK shipped with setIsDebugMode(true) left in production code, skipping the check that should reject untrusted apps requesting SSO handoff. The leaked FOCI single-sign-on tokens can be refreshed and reused over long periods, with traffic that looks routine in logs. It affected Word, PowerPoint, Excel, Microsoft 365 Copilot, Loop, and OneNote (billions of downloads); Teams shipped the flag false and was unaffected. Microsoft issued four CVEs on May 12 (CVE-2026-41100/41101/41102/42832). The patched Android Word build is 16.0.19822.20190; a malicious on-device app is all it takes.

Check
Push Microsoft 365 Android app updates via MDM. Confirm Word is on build 16.0.19822.20190 or later and other apps updated through Google Play. Audit Android fleets for sideloaded apps.
Affected
Microsoft 365 Android apps (Word, PowerPoint, Excel, Copilot, Loop, OneNote) below the patched builds. A malicious on-device app can steal refreshable FOCI SSO tokens; Teams was unaffected.
Fix
Update all M365 Android apps from Google Play. Note the patch does not revoke already-stolen tokens - revoke active sessions for potentially-affected users and enforce app-install controls on managed devices.