A vulnerability in Microsoft Authenticator, tracked as CVE-2026-26123, allowed malicious Android and iOS apps to hijack the app’s unclaimed ms-msa:// deep link and intercept authentication tokens during onboarding and sign-in flows. The flaw affected QR-code-based setup scenarios in which a user scanned a legitimate Microsoft QR code with a mobile camera and opened the resulting link, enabling an attacker-controlled app to capture login data with little visible warning to the victim.
Researchers reported that the issue could lead to full takeover of Microsoft accounts and downstream access to services including Outlook, OneDrive, Teams, Office, and Skype. Microsoft acknowledged the vulnerability, assigned a CVE, and mitigated the issue, while coverage warned that the bug could expose login codes for large numbers of users on both major mobile platforms. Users and organizations were advised to update Microsoft Authenticator and ensure proper verified app-link handling as the primary remediation.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
3 events from the most recent confirmed update back to the earliest known activity.
Details of the Microsoft Authenticator deep-link vulnerability were publicly disclosed, describing how minimal user interaction could lead to interception of login tokens and full Microsoft account takeover. Public reporting also advised users to update to the latest version and highlighted proper app-link verification as the key remediation.
Microsoft acknowledged the reported issue, assigned it CVE-2026-26123, and implemented a mitigation for the vulnerability. The issue affected Microsoft Authenticator on modern Android and iOS environments and could expose access to Microsoft services such as Outlook, OneDrive, Teams, Office, and Skype.
A security researcher found that Microsoft Authenticator did not properly claim the ms-msa:// deep link used in onboarding and sign-in flows. The flaw allowed a malicious Android or iOS app to register the scheme and intercept authentication tokens from QR-code-based setup flows, enabling account takeover.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
2 references tracked. Mallory keeps watching after this page renders.
infosecwriteups.com
Open sourcetechrepublic.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.