A debug flag accidentally left enabled in production builds of multiple Microsoft 365 Android apps disabled the trust check that normally restricts account-token sharing to authorised Microsoft applications. As a result, any app installed on the same Android device could silently request and receive a valid authentication token, granting full access to the victim’s email, files, calendar, and messaging without any user interaction or additional permissions. The flaw affects any user running a vulnerable Microsoft 365 Android app while also having a malicious or compromised app on the same device.

Architect’s Take: Mandate immediate updates to all affected Microsoft 365 Android apps across your managed device estate via your MDM/UEM solution, and review Conditional Access policies to detect anomalous token usage or unexpected app sign-ins. Consider temporarily blocking unmanaged Android devices from accessing Microsoft 365 resources until patched app versions are confirmed deployed.

Original advisory: Microsoft 365 Android Apps Let Any App Steal Account Tokens via Leftover Debug Flag