INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).
Microsoft 365 Account Takeover Exploited via Coding Vulnerability
| 2026-06-03 19:00 MEDIUM HIGHExecutive Summary AI-generated
The recent incident involving Microsoft 365 accounts being exposed to widespread takeover due to a coding mistake in several Android applications has highlighted the critical need for robust security measures. Researchers at Enclave discovered a vulnerability in debug settings that was left enabled in production releases of multiple apps, including Excel, Word, PowerPoint, OneNote, Loop, and Microsoft 365 Copilot. This allowed attackers to bypass necessary authorization checks and replicate access across affected apps due to the vulnerable code being part of a shared software development kit (SDK). The incident demonstrates how even seemingly secure systems can be compromised if not properly secured against coding mistakes or vulnerabilities in third-party applications.
Technical Mitigations AI-generated
• Disabling the "debug setting" in Microsoft Android apps to prevent exposure of user accounts.
• Ensuring that authentication tokens are validated and not reused across multiple applications.
• Fixing vulnerabilities in software development kits (SDKs) used by Microsoft 365 applications.
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
SparkSparkShai-HuludShai-Hulud
CVE-2026-41100CVE-2026-41100
CVE-2026-41102CVE-2026-41102
CVE-2026-42832CVE-2026-42832
CVE-2026-41101CVE-2026-41101
Target & Sectors
Global Scope
legallegal
Incident Timeline
2026/06/03
Threat actors exploited a coding mistake in multiple Microsoft Android apps, including Excel, Word, PowerPoint, OneNote, Loop, and 365 Copilot, to gain unauthorized access to user accounts.
Click on any entity below to view its context and source!
infrastructure
Microsoft 365
Coding Gaffe Exposes Microsoft 365 Accounts to Widespread Takeover.
A coding mistake in several Microsoft 365
Android
applications resulted in the exposure of user
accounts
to compromise at massive scale, demonstrating once again how dropping the ball on securing authentication tokens can undermine an entire trust model.
Researchers at Enclave discovered a vulnerability in a debug setting that was mistakenly left enabled in production releases of multiple Microsoft Android apps, including Excel, Word, PowerPoint, OneNote, Loop, and Microsoft 365 Copilot, according
to a blog post
published Tuesday.
The attacker could then exfiltrate the token, and use it to access resources across other
Microsoft 365 apps
.
organisation
Microsoft
Coding Gaffe Exposes Microsoft 365 Accounts to Widespread Takeover.
organisation
Widespread Takeover
Coding Gaffe Exposes Microsoft 365 Accounts to Widespread Takeover.
infrastructure
Android
A coding mistake in several Microsoft 365
Android
applications resulted in the exposure of user
accounts
to compromise at massive scale, demonstrating once again how dropping the ball on securing authentication tokens can undermine an entire trust model.
Researchers at Enclave discovered a vulnerability in a debug setting that was mistakenly left enabled in production releases of multiple Microsoft Android apps, including Excel, Word, PowerPoint, OneNote, Loop, and Microsoft 365 Copilot, according
to a blog post
published Tuesday.
"A test setting was left turned on in six Microsoft apps on Android phones: Word, OneNote, PowerPoint, Excel, Loop and 365 Copilot," Enclave co-founder and chief product officer Yanir Tsarimi explains to Dark Reading.
According to Enclave, not only was the necessary authorization check protecting this exchange of data disabled in the Android apps, but the access to data also could be replicated across multiple Microsoft apps because the vulnerable code was inside a shared Microsoft software development kit (SDK).
With the protection bypassed, any Android app capable of requesting
a token
could potentially obtain Microsoft
authentication
credentials, Tsarimi explains.
All they would have to do is distribute or update an Android app containing a small token-requesting routine that silently requests tokens from an affected Microsoft application.
Related:
Malicious Notifications Could Trick Google Gemini Users
Cross-Application Insecurity from Auth Tokens
According to Enclave, not only was the necessary authorization check protecting this exchange of data disabled in the Android apps, but the access to data also could be replicated across multiple Microsoft apps because the vulnerable code was inside a shared Microsoft software development kit (SDK).
organisation
Microsoft Android
Researchers at Enclave discovered a vulnerability in a debug setting that was mistakenly left enabled in production releases of multiple Microsoft Android apps, including Excel, Word, PowerPoint, OneNote, Loop, and Microsoft 365 Copilot, according
to a blog post
published Tuesday.
organisation
PowerPoint
Researchers at Enclave discovered a vulnerability in a debug setting that was mistakenly left enabled in production releases of multiple Microsoft Android apps, including Excel, Word, PowerPoint, OneNote, Loop, and Microsoft 365 Copilot, according
to a blog post
published Tuesday.
organisation
OneNote
Researchers at Enclave discovered a vulnerability in a debug setting that was mistakenly left enabled in production releases of multiple Microsoft Android apps, including Excel, Word, PowerPoint, OneNote, Loop, and Microsoft 365 Copilot, according
to a blog post
published Tuesday.
organisation
Loop
Researchers at Enclave discovered a vulnerability in a debug setting that was mistakenly left enabled in production releases of multiple Microsoft Android apps, including Excel, Word, PowerPoint, OneNote, Loop, and Microsoft 365 Copilot, according
to a blog post
published Tuesday.
organisation
Microsoft 365 Copilot
Researchers at Enclave discovered a vulnerability in a debug setting that was mistakenly left enabled in production releases of multiple Microsoft Android apps, including Excel, Word, PowerPoint, OneNote, Loop, and Microsoft 365 Copilot, according
to a blog post
published Tuesday.
organisation
SDK
According to Enclave, not only was the necessary authorization check protecting this exchange of data disabled in the Android apps, but the access to data also could be replicated across multiple Microsoft apps because the vulnerable code was inside a shared Microsoft software development kit (SDK).
Related:
Malicious Notifications Could Trick Google Gemini Users
Cross-Application Insecurity from Auth Tokens
According to Enclave, not only was the necessary authorization check protecting this exchange of data disabled in the Android apps, but the access to data also could be replicated across multiple Microsoft apps because the vulnerable code was inside a shared Microsoft software development kit (SDK).
organisation
CVE-2026
Enclave responsibly disclosed the issue to Microsoft, which has since issued updates to fix and multiple CVEs for all of the flaws, which are tracked as
CVE-2026-41100
,
CVE-2026-41101
, and
CVE-2026-41102
, and
CVE-2026-42832
.
organisation
Miasma Supply Chain Worm Burrows Into
Related:
Miasma Supply Chain Worm Burrows Into 73 Microsoft Repositories
Cross-Application Insecurity from Auth Tokens
organisation
Broader Security Implications for Clean Coding
Broader Security Implications for Clean Coding
The issue, while fixed, demonstrates not just the importance of clean coding, but also how ensuring the security of
authentication tokens
has become absolutely essential across interconnected Web-based applications and systems.
organisation
Miracco
Incidents like this, then, highlight the importance of validating how trustworthy an app and device are in combination with the user, Miracco says.
Tactical Metrics
Metrics
infrastructure
Microsoft 365
Affected Product
Click for context!
Coding Gaffe Exposes Microsoft 365 Accounts to Widespread Takeover.
A coding mistake in several Microsoft 365
Android
applications resulted in the exposure of user
accounts
to compromise at massive scale, demonstrating once again how dropping the ball on securing authentication tokens can undermine an entire trust model.
Researchers at Enclave discovered a vulnerability in a debug setting that was mistakenly left enabled in production releases of multiple Microsoft Android apps, including Excel, Word, PowerPoint, OneNote, Loop, and Microsoft 365 Copilot, according
to a blog post
published Tuesday.
The attacker could then exfiltrate the token, and use it to access resources across other
Microsoft 365 apps
.
Metrics
infrastructure
Android
Affected Product
A coding mistake in several Microsoft 365
Android
applications resulted in the exposure of user
accounts
to compromise at massive scale, demonstrating once again how dropping the ball on securing authentication tokens can undermine an entire trust model.
Researchers at Enclave discovered a vulnerability in a debug setting that was mistakenly left enabled in production releases of multiple Microsoft Android apps, including Excel, Word, PowerPoint, OneNote, Loop, and Microsoft 365 Copilot, according
to a blog post
published Tuesday.
"A test setting was left turned on in six Microsoft apps on Android phones: Word, OneNote, PowerPoint, Excel, Loop and 365 Copilot," Enclave co-founder and chief product officer Yanir Tsarimi explains to Dark Reading.
According to Enclave, not only was the necessary authorization check protecting this exchange of data disabled in the Android apps, but the access to data also could be replicated across multiple Microsoft apps because the vulnerable code was inside a shared Microsoft software development kit (SDK).
With the protection bypassed, any Android app capable of requesting
a token
could potentially obtain Microsoft
authentication
credentials, Tsarimi explains.
All they would have to do is distribute or update an Android app containing a small token-requesting routine that silently requests tokens from an affected Microsoft application.
Related:
Malicious Notifications Could Trick Google Gemini Users
Cross-Application Insecurity from Auth Tokens
According to Enclave, not only was the necessary authorization check protecting this exchange of data disabled in the Android apps, but the access to data also could be replicated across multiple Microsoft apps because the vulnerable code was inside a shared Microsoft software development kit (SDK).
Intelligence Sources
Dark Reading
2026-06-03
Dark Reading
2026-06-03
Unpublish from Social Media?
Are you sure you want to delete this podcast video from all synchronized social networks (YouTube, Facebook, Threads)?
Important:
Due to Meta API restrictions, Instagram Reels cannot be deleted automatically via API by third-party apps.
View Profile to Delete Manually
View Profile to Delete Manually
Tactical Intelligence
Report Intelligence Issue
Podcast Options
Generate
Incident Version History
CURRENT VERSION
Last Updated: 2026-06-29T10:30
Comprehensive Tactical Telemetry
Highly Correlated Entities
13x
organisation
Identified Entity
Microsoft
entity
4x
vulnerability
Exploited CVE
CVE-2026-41100
cve
2x
infrastructure
Affected Product
Microsoft 365
software
2x
malware
Malware Payload
Shai-Hulud
tool
Contextual Telemetry
Context Block
4 METRICS
general metric
Accounts
365
accounts
general metric
Microsoft Repositories Cross - Application Insecurity
73
microsoft repositories cross - application insecurity
tactic
MITRE ATT&CK Technique
T1589.001 - Credentials
technique
industry
Targeted Sector
Legal
sector
Click on any entity below to view its context in the main text!
Selective Unpublish
Selecciona las redes de las que quieres eliminar esta publicación. El sistema intentará borrar el post real de la API y limpiará la base de datos para que puedas volver a lanzarlo.
By navigating this website, you accept the use of strictly necessary technical cookies for session security and basic platform functionality. We do not use tracking or advertising cookies.
Read our Privacy Policy.