Critical Deep‑Link Flaw in Microsoft Authenticator (CVE‑2026‑26123) Enables Credential Hijacking
What Happened — A security researcher disclosed CVE‑2026‑26123, a deep‑link handling vulnerability in Microsoft Authenticator for iOS and Android. The flaw allows a malicious app on the same device to intercept sign‑in codes or QR‑code flows, potentially leading to full account takeover. Microsoft has issued a patch and updated the app.
Why It Matters for TPRM —
- MFA‑based authentication is a core control for many third‑party relationships; a bypass undermines that control.
- The vulnerability affects any organization that relies on Microsoft Authenticator for employee or partner access.
- Exploitation does not require network access, making it hard to detect with traditional perimeter defenses.
Who Is Affected — Enterprises across all sectors using Microsoft Authenticator for multi‑factor authentication, especially those with mobile‑first workforces.
Recommended Actions —
- Verify that all Microsoft Authenticator installations are updated to the latest version.
- Review MFA policies to ensure alternative factors (e.g., hardware tokens) are available.
- Conduct a short‑term audit of mobile device management (MDM) policies to restrict inter‑app communication.
Technical Notes — The issue stems from improper validation of deep‑link intents, allowing a malicious app to capture or replay MFA codes. No CVE‑specific exploit code was publicly released at the time of reporting. Source: Malwarebytes Labs