Microsoft shipped production builds of multiple 365 Android apps with a debug flag enabled that bypassed token-sharing security controls. The flag disabled checks preventing account tokens from reaching untrusted applications, allowing any app on the same device to request and obtain a user's authentication token without prompting or permission.
An attacker with a malicious app installed on a victim's phone could obtain valid account tokens for Microsoft 365 services. With these tokens, the attacker gains full access to email, files, calendars, and messaging capabilities under the compromised user's identity. No password entry, login screen, or user consent requirement exists to stop token theft.
The vulnerability affects Android users running vulnerable Microsoft 365 apps. The attack vector requires the malicious app to be installed on the target device, limiting exposure to users who actively download and run untrusted software. However, app store compromise or sideloading scenarios could distribute malware at scale.
Organizations relying on Microsoft 365 face data theft and account compromise risks. Attackers could exfiltrate sensitive emails, access shared documents, or pivot to other systems using stolen tokens. Enterprise environments managing Android deployments should verify patch status across user devices.
Microsoft has not yet disclosed the specific apps affected or released fixes at the time of reporting. The debug flag represents a critical configuration oversight that should have been disabled before production release. This incident underscores gaps in secure development practices, where testing features persist in shipping code.
Users should update all Microsoft 365 apps immediately when patches become available. Organizations should enforce mobile device management policies restricting app installation to official sources and blocking sideloading. Monitoring for unusual account activity, particularly from unfamiliar devices or locations, helps detect token theft.