Microsoft 365 Android Apps Had a Token Flaw IT Teams Should Check Now
Microsoft 365 Android Apps Had a Token Flaw IT Teams Should Check Now
https://www.techrepublic.com/article/news-microsoft-365-android-token-flaw/
Publish Date: 2026-06-04 12:04:00
Source Domain: www.techrepublic.com
A debug flag left active in production code allowed another installed app on the same Android device to request Microsoft account tokens from Word, Excel, PowerPoint, OneNote, Microsoft Loop, and Microsoft 365 Copilot for Android without user interaction, according to research Enclave publicly disclosed on June 2, 2026.
Microsoft patched the flaws and issued CVEs on May 12, 2026, but the technical details became public on June 2, when Enclave published its research and SecurityWeek reported on the findings. Microsoft Teams was not affected, and no in-the-wild exploitation has been publicly confirmed, but the disclosure gives IT teams a fresh reason to verify Android app updates and review Microsoft 365 mobile app governance.
How the Android token flaw worked
Microsoft 365 apps on Android share authentication tokens so users do not have to sign in again when moving from Word to Excel or PowerPoint. That handoff should stay within trusted Microsoft apps. The issue also comes as Microsoft is expanding its Android-based enterprise ambitions with Project Solara, making mobile trust boundaries more important for IT teams to understand.
In a public research post, Enclave traced the issue to setIsDebugMode(true), a production debug setting that skipped the check blocking untrusted apps from receiving tokens. Because the vulnerable code sat inside a shared Microsoft SDK, the misconfiguration appeared across all six affected apps.
Enclave built a proof of concept using an unverified third-party app that pulled tokens from installed Microsoft 365 apps and read email from the account without a password, login screen, or suspicious Android permission prompt. SecurityWeek described a malicious update to an already installed Android app as one possible attack path; in that scenario, the app could request Microsoft tokens in the background and transmit them without a visible prompt.
Depending on the app context, exposed tokens could allow access to email, files, calendar…
