Enclave finds Microsoft 365 Android token flaw
Enclave published research on 2 June 2026 showing that several Microsoft 365 Android apps had shipped with a production debug setting that could let another app on the same Android device request Microsoft account tokens. The affected Android apps included Word, PowerPoint, Excel, Microsoft 365 Copilot, Microsoft Loop, and OneNote. Enclave says Microsoft confirmed and patched the issues, with related CVEs published through Microsoft Security Response Center. The issue was Android-specific. Enclave's practical advice is to update affected Microsoft 365 Android apps, especially on managed devices.
Before this research, many Copilot adoption conversations treated mobile use as a convenience question: whether people should use Copilot from a phone when they are away from the desk. This flaw shows why mobile app version control belongs in the same adoption conversation as prompts, files, and permissions. The patched issue does not mean teams should panic about every Android Copilot session. It does mean adoption leads need a simple rule: company AI work on phones still depends on managed app updates, device policy, and a way to prove sensitive Microsoft 365 apps are not running stale versions.
Analysis
If your team uses Copilot or Office apps on Android, check that Word, Excel, PowerPoint, Microsoft 365 Copilot, Loop, and OneNote are on patched versions. For managed devices, add this to your mobile app update compliance check rather than treating it as a one-off user reminder.
Pulse published by Collab365 Spaces. Cite as "Enclave finds Microsoft 365 Android token flaw", Collab365 Spaces. 1 source referenced.