Microsoft 365 Android apps token-sharing flaw (multiple vulnerabilities)
Vulnerability
Summary
Hide ▲
Show ▼
Microsoft 365 Android apps were exposed by a leftover setIsDebugMode(true) flag that let same-device apps steal account tokens and act as the signed-in user. The flaw could expose email, files, calendar data, and messaging across Word, PowerPoint, Excel, Microsoft 365 Copilot, Loop, and OneNote. Microsoft patched the issue and issued four CVEs on May 12. There is no public evidence of exploitation before the fix.
Related Happenings
Google Android Developer Verifier enforcement rollout for verified app installs
Security Tool/Service
H score14
First: 22.06.2026 15:45
Last: 22.06.2026 15:45
Sources 1
About this happening:
Google is enforcing Android developer verification on September 30, 2026, blocking normal installs of unverified apps on certified Android phones in Brazil, Indonesia, S...
Google Android Developer Verifier enforcement rollout for verified app installs
Security Tool/ServiceAbout this happening: Google is enforcing Android developer verification on September 30, 2026, blocking normal installs of unverified apps on certified Android phones in Brazil, Indonesia, S...
Microsoft Office launch disruption after June 2026 Windows updates
Service Disruption
H score0
First: 17.06.2026 14:54
Last: 17.06.2026 14:54
Sources 1
About this happening:
Microsoft is investigating a Windows update-related disruption that can stop third-party applications from launching Word, Excel, PowerPoint, Access or opening documen...
Microsoft Office launch disruption after June 2026 Windows updates
Service DisruptionAbout this happening: Microsoft is investigating a Windows update-related disruption that can stop third-party applications from launching Word, Excel, PowerPoint, Access or opening documen...
EvilTokens Microsoft 365 consent phishing campaign
Campaign
H score39
First: 19.05.2026 14:30
Last: 19.05.2026 14:30
Sources 1
About this happening:
The EvilTokens campaign rapidly compromised more than 340 Microsoft 365 organizations across five countries, showing how OAuth grant abuse can bypass MFA and c...
EvilTokens Microsoft 365 consent phishing campaign
CampaignAbout this happening: The EvilTokens campaign rapidly compromised more than 340 Microsoft 365 organizations across five countries, showing how OAuth grant abuse can bypass MFA and c...
Tycoon2FA device-code phishing campaign targeting Microsoft 365
Campaign
H score46
First: 17.05.2026 17:43
Last: 17.05.2026 17:43
Sources 1
About this happening:
The Tycoon2FA phishing operation added device-code phishing to hijack Microsoft 365 accounts, expanding its ability to steal access tokens and reach email, calendar, a...
Tycoon2FA device-code phishing campaign targeting Microsoft 365
CampaignAbout this happening: The Tycoon2FA phishing operation added device-code phishing to hijack Microsoft 365 accounts, expanding its ability to steal access tokens and reach email, calendar, a...
Microsoft Windows 365 Office installation disruption
Service Disruption
H score0
First: 13.05.2026 14:53
Last: 13.05.2026 14:53
Sources 1
About this happening:
The Windows 365 service update has introduced a configuration change that is blocking Office downloads and installs for some customers, disrupting access on cloud PCs....
Microsoft Windows 365 Office installation disruption
Service DisruptionAbout this happening: The Windows 365 service update has introduced a configuration change that is blocking Office downloads and installs for some customers, disrupting access on cloud PCs....
Timeline
-
03.06.2026 17:56 1 articles · 1mo ago
Microsoft patches Microsoft 365 Android token-sharing flaw
Mitigation Patch UpdateMicrosoft issued four CVEs on May 12 for a token-sharing bypass in Microsoft 365 Android apps, covering Microsoft 365 Copilot, Word, PowerPoint, and Excel. The same flaw also affected Loop and OneNote, and the patched Word build for Android was 16.0.19822.20190.
Show sources
- Microsoft 365 Android Apps Let Any App Steal Account Tokens via Leftover Debug Flag — thehackernews.com — 03.06.2026 17:56
-
03.06.2026 17:56 2 articles · 1mo ago
Enclave finds token-sharing bypass in Microsoft 365 Android apps
Initial DisclosureEnclave's Yanir Tsarimi and Ofek Levin found that a leftover setIsDebugMode(true) flag in production builds of several Microsoft 365 Android apps skipped the check meant to limit account-token sharing to trusted Microsoft apps. The flaw let another app on the same phone obtain FOCI refresh tokens and use them to read email, open files, browse calendars, and send messages as the signed-in user.
Show sources
- Microsoft 365 Android Apps Let Any App Steal Account Tokens via Leftover Debug Flag — thehackernews.com — 03.06.2026 17:56
- Microsoft 365 Android Apps Let Any App Steal Account Tokens via Leftover Debug Flag — thehackernews.com — 03.06.2026 17:56