What Is the Microsoft 365 Android Token Vulnerability?
The Microsoft 365 Android vulnerability is a security flaw where a disabled debug flag allowed any other app on the same device to silently request and receive powerful Microsoft account tokens, bypassing normal trust checks, permission prompts, and sign‑in screens, potentially exposing email, files, calendars, and communications to attackers without needing the user’s password. In normal conditions, Microsoft 365 Android apps share tokens only with trusted Microsoft apps, so logging into one app signs you into others. Because a debug setting remained active in production code, that safeguard failed. According to Enclave’s research, a single line of code, setIsDebugMode(true), inside a shared Microsoft SDK skipped the verification that should block untrusted apps. The result was a quiet but serious Android security flaw that turned convenient single sign‑on into a path for account token theft.
Which Microsoft 365 Android Apps Were Affected?
The flaw hit several of the most widely used Microsoft 365 Android apps. Enclave’s researchers found that Word, PowerPoint, Excel, Microsoft 365 Copilot, Microsoft Loop, and OneNote all shipped with the problematic debug flag switched on in production. These apps share a common Microsoft SDK for handling sign‑in and single sign‑on, so the same misconfiguration appeared across them. According to The Hacker News, Teams used the same flag but had it set to false and was not vulnerable, which makes the issue look like a slip, not a deliberate design choice. The vulnerable apps have billions of downloads, so the potential blast radius is large wherever untrusted Android apps are installed alongside Microsoft 365. Microsoft issued four CVEs covering Copilot, Word, PowerPoint, and Excel on May 12 and pushed fixes via Google Play and Patch Tuesday builds.
How the Debug Flag Enabled Silent Account Token Theft
Microsoft 365 apps on Android use shared authentication tokens so you can sign in once and move between Outlook, OneDrive, Teams, Excel, Word, or PowerPoint without re‑entering your password. That sharing is supposed to be restricted to trusted Microsoft apps, enforced by a check that validates who is asking for the token. The bug removed that safeguard. With setIsDebugMode(true) enabled in the shared SDK, the trust check was skipped, so any other app on the device could request tokens and be treated as trusted. Enclave built a proof‑of‑concept unverified app that pulled tokens from installed Microsoft 365 apps and then read email without a password or Android permission prompt. The exposed credentials were FOCI refresh tokens, designed for long‑lived single sign‑on, which can be silently refreshed and used over time while looking like routine traffic in logs.
What Can Attackers Do with Stolen Tokens?
Stolen FOCI tokens are far more than login shortcuts: they are keys to your Microsoft 365 life. With one of these tokens, a malicious app or its operator can act as you without needing your password or multi‑factor authentication. Depending on the affected app, attackers could read and send email, browse and download files, access documents, scan calendar data, or monitor communications. Because these are refresh tokens, they can be exchanged for new access tokens across Microsoft 365 services for extended periods, even after you update the vulnerable apps. From your point of view, nothing obvious happens on the device—no alerts, no new sign‑in prompts. In logs, the traffic appears normal because it originates from familiar apps and services. That combination of depth of access and low visibility makes this Android security flaw particularly dangerous on unmanaged or lightly managed devices.
Immediate Steps to Protect Your Microsoft 365 Account
Start with updates. Open Google Play and install the latest Microsoft app update for Word, PowerPoint, Excel, OneNote, Microsoft 365 Copilot, and Microsoft Loop on every Android device you use. If you manage devices, enforce updates through mobile device management and confirm builds are newer than the patched Word version 16.0.19822.20190. Next, revoke any tokens that might already be in hostile hands by signing out of Microsoft 365 on mobile and forcing fresh sign‑ins where your admin tools allow it. Then review your Microsoft account’s connected apps and sessions, removing any unfamiliar or unnecessary entries to limit exposure from past account token theft. Finally, audit which third‑party apps are installed on devices that access work accounts and tighten installation policies. Reducing the number of untrusted apps lowers the chance that a future Android security flaw can be abused in the same way.
