MICROSOFT confirmed that several of its 365 Android applications were shipping with a debug flag that left authentication tokens exposed to any other app on the device, as reported by The Hacker News here. The affected apps include Word, Excel, PowerPoint, OneNote, Outlook and Teams, putting both personal and organisational data at risk.
The debug flag disables a security boundary that normally prevents inter‑process access to account credentials, allowing a malicious app to read the token through Android's logging or intent mechanisms. Researchers noted that the flaw could be triggered with a single line of code and that no CVE has been assigned to the issue. All versions of the apps released before the June 2026 patches are vulnerable.
Although no threat actors have been observed exploiting the flaw in the wild, the sheer volume of installs means the potential audience for abuse is enormous. A rogue app masquerading as a utility or game could harvest tokens and then replay them to gain access to mail, SharePoint sites and Teams chats. The exposure highlights the danger of leaving development switches enabled in production builds.
Administrators need to ensure that all managed devices have received the latest updates from the Google Play store or via Microsoft Endpoint Manager. They should also review conditional access policies to require multi-factor authentication and to block sign‑ins from unknown devices or risky applications. Enforcing app protection policies that restrict data transfer to unverified apps adds another layer of defence.
Security teams can enable token protection features such as token binding and session conditional access, and monitor audit logs for atypical token usage patterns like sudden spikes in token requests from unfamiliar apps. Educating users to install only trusted applications from verified sources further reduces the risk of token theft. Regular reviews of installed applications help catch any malicious software that might have slipped through.
Microsoft has issued patches for Word, Excel, PowerPoint, OneNote, Outlook and Teams; users should verify that the version numbers reflect the June 2026 releases and consider re‑authenticating after updating to ensure any compromised tokens are invalidated. Applying the updates promptly closes the debug flag and restores the intended isolation between apps. Staying current with mobile patches remains a fundamental part of defending credential tokens on Android devices.