Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to vulnerabilities
Medium

Deep Link Hijacking in Microsoft Authenticator

IdentifiersCVE-2026-26123CWE-939· Improper Authorization in Handler…

CVE-2026-26123 is a local information disclosure vulnerability in Microsoft Authenticator for Android and iOS. The issue stems from the app’s handling of the ms-msa:// deep link used during onboarding, sign-in, and QR-code-based authentication flows. According to the provided reporting, Microsoft Authenticator did not properly claim or exclusively bind this URI scheme, allowing a malicious application installed on the same device to register itself as a handler for the same deep link. If a victim scanned a legitimate Microsoft QR code or tapped a sign-in link and the malicious app was selected to handle the link, the rogue app could intercept authentication data embedded in the deep link, including token or code parameters intended for Microsoft Authenticator. The intercepted data could then be exfiltrated and used to complete authentication flows for the victim’s Microsoft account.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can expose authentication material intended for Microsoft Authenticator, including one-time login codes, sign-in links, or token values embedded in the deep link flow. The reporting indicates this may enable unauthorized access to Microsoft accounts and associated services such as Outlook, OneDrive, Teams, Office, Skype, and related cloud resources. In the most severe described scenario, the attacker can use the intercepted authentication data to complete sign-in and achieve full account takeover, with consequent access to emails, files, and other account-linked data.

Mitigation

If you can’t patch tonight, do this now.

Until all affected devices are updated, reduce exposure by preventing installation of untrusted or unnecessary mobile applications, especially those that could register handlers for authentication links. Users should verify that authentication prompts, QR-based sign-ins, and deep links open only in trusted applications such as Microsoft Authenticator. In enterprise environments, enforce rapid patching of MFA applications and consider MDM controls that restrict app installation and app-handler selection behavior where possible. The provided reporting also notes Microsoft Entra-related controls being rolled out to restrict Authenticator use on rooted or jailbroken devices, which may further reduce risk in managed environments.

Remediation

Patch, then assume compromise.

Update Microsoft Authenticator to the latest available version from the Google Play Store or Apple App Store, as the issue is reported to have been fixed/mitigated in recent releases. The underlying corrective action described in the reporting is proper app-link verification or verified/exclusive handling of the ms-msa:// authentication deep link so that untrusted applications cannot register as alternate handlers for the same sign-in flow.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
Microsoft CorporationAuthenticatorapplication
Microsoft CorporationAuthenticator For Iosapplication
Microsoft CorporationMicrosoft Authenticatorapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

13 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

13 SOURCESView more in app
infosec writeupsNews
Mar 25, 2026
Microsoft Authenticator’s Unclaimed Deep Link: A Full Account Takeover Story (CVE-2026-26123) | by Khaled Mohamed | Mar, 2026 | InfoSec Write-ups

A deep link hijacking vulnerability in Microsoft Authenticator where the ms-msa:// authentication link was not properly claimed by the app, allowing a malicious app to intercept authentication tokens and cause full account takeover.

Read more
techrepublic com securityNews
Mar 13, 2026
Microsoft Authenticator Flaw on Android, iOS Could Leak Login Codes for Millions

A vulnerability in Microsoft Authenticator on Android and iOS that could allow a malicious app on the same device to intercept authentication deep links, one-time login codes, or sign-in data intended for the authenticator app.

Read more
help net securityNews
Mar 11, 2026
Microsoft patches 80+ vulnerabilities, six flagged as "more likely" to be exploited - Help Net Security

A Microsoft Authenticator (Android/iOS) vulnerability that can enable a man-in-the-middle sign-in interception via a malicious app handling sign-in deep links (requires user interaction/social engineering).

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity10

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2026-26123
NVD
nvd.nist.gov/vuln/detail/CVE-2026-26123
MITRE CWE · CWE-939
Improper Authorization in Handler for Custom…
Vendor Advisory
msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26123