GitHub

Message from IT House, June 5th. Microsoft 365 A serious loophole in the Android application. The good news is that this loophole was repaired before disclosure.

Security researchers say there's more under Microsoft. Android The mobile application inadvertently brought a debug tag (Debug Flag) for the test process into the official production version as a result of the development personnel ' s negligence during the release.

This low-level error directly led to the failure of its security verification mechanism, which allowed any third-party application installed on the same device to steal the Microsoft 365 account login (Token) silently without the user ' s knowledge, and thus to read mail, access files, view calendars and send messages as a login user.

Focused applications affected by this loophole include Word, PowerPoint, Excel, Microsoft 365 Copilot, Microsoft Loop and OneNote.

At present, Microsoft has urgently repaired related issues and has issued corresponding security patches for different applications, recommending that all affected users immediately update the latest version through the app store.

Security researchers noted that the Teams application was unaffected by the fact that the debugging sign had not been activated. But the cumulative number of downloads from Google Play stores is billions.

The technical rationale for a loophole is not complex. In order to improve user experience under normal conditions, Microsoft has designed a voucher sharing mechanism (i.e. single-point login) between Microsoft 365 applications. For example, when the user logs in Word, other Microsoft applications can use the same account without double authentication.

During normal token hand-over, applications need to verify whether the requested source is a trusted Microsoft application. However, due to the negligence of the developers. The Android Microsoft 365 retained setIs DebugMode (true) in the official version. This debugging mark, which would have been in the development phase, had, after entering the official production environment, directly bypassed the legitimacy check against the caller ' s identity, resulting in the immediate interception and acquisition of account login certificates for any unverified local third-party application, by sending a specific request, without the need for a user password and without the need to eject a login page or even to request any permission that might alert the user.

The researchers further noted that the leaked documents were a special FOCI (Family of Clinical IDs) document with a very high risk factor. Not only can such documents be used for long periods of time and be updated silently, but the network traffic they generate when they are used in bad faith is extremely hidden, as the system logs are presented in a way that is fully consistent with the normal use by users.

The attackers who hijacked the document through local malice App do not need to obtain the user ' s account code, nor do they need to apply for any sensitive Android system permission to act directly as victims ' accounts, including reading, modifying and sending e-mails, looking through cloud-based documents, viewing calendars, etc.

This was followed by an analysis by researchers using AI to confirm that the security gap was shared. SDK It spread to M365 all six major Android applications. "It was thought that it was just an application, and it was later found to be a common model for M365 Android applications, a simple Bug that affected a total of billions of downloads."

In response to this major supply chain and distribution error, the research team has made a responsible leak to the Microsoft Security Response Centre (MSRC) in advance.

Microsoft subsequently identified the above-mentioned gaps and issued safety guidelines, assigning different CVE numbers and hazard ratings to the risks of different applications.

Of these, Microsoft 365 Copilot has the corresponding loophole number CVE-2026-41100 (CVSS score 4.4, medium risk); Word Andreau has the CVE-2026-4101 (CVSS rating 7.1, high risk); PowerPoint has the CVE-2026-41102 (CVSS rating 7.1, high risk); and Microsoft Office has the same faulty core component as the CVE-2026-41102 (CVSS rating 7.7, critical level).

Microsoft indicated that the procedures for repairing the relevant loopholes had been included in the mid-May and subsequent update logs and that the enterprise IT administrator should immediately verify the Android equipment hosted within the organization and ensure that all relevant office software was in the state of the latest security version.

Advertising statements: The external jump links (including not limited to hyperlinks, 2D codes, passwords, etc.) contained in the text are used to convey more information and save time for selection purposes only for reference purposes, which are included in all IT House articles.