Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Watchlists Beta Browse News Feed Stats About Contact

Microsoft 365 Android apps token-sharing flaw (multiple vulnerabilities)

Vulnerability
First reported
Last updated
Happening score
H score 21
1 unique sources, 1 articles

Summary

Hide ▲

Microsoft 365 Android apps were exposed by a leftover setIsDebugMode(true) flag that let same-device apps steal account tokens and act as the signed-in user. The flaw could expose email, files, calendar data, and messaging across Word, PowerPoint, Excel, Microsoft 365 Copilot, Loop, and OneNote. Microsoft patched the issue and issued four CVEs on May 12. There is no public evidence of exploitation before the fix.

Related Happenings

EvilTokens Microsoft 365 consent phishing campaign

Campaign
First: 19.05.2026 14:30 Last: 19.05.2026 14:30 Sources 1

About this happening: The **EvilTokens** campaign rapidly compromised **more than 340 Microsoft 365 organizations** across **five countries**, showing how **OAuth grant abuse** can bypass **MFA** and c...

Open Happening

Tycoon2FA device-code phishing campaign targeting Microsoft 365

Campaign
First: 17.05.2026 17:43 Last: 17.05.2026 17:43 Sources 1

About this happening: The **Tycoon2FA** phishing operation added **device-code phishing** to hijack **Microsoft 365** accounts, expanding its ability to steal access tokens and reach email, calendar, a...

Open Happening

Microsoft Windows 365 Office installation disruption

Service Disruption
First: 13.05.2026 14:53 Last: 13.05.2026 14:53 Sources 1

About this happening: The **Windows 365** service update has introduced a **configuration change** that is blocking **Office downloads and installs** for some customers, disrupting access on cloud PCs....

Open Happening

EngageLab SDK intent redirection security flaw

Vulnerability
First: 09.04.2026 20:26 Last: 09.04.2026 20:26 Sources 1

About this happening: A **now-patched intent redirection vulnerability** in the **EngageLab SDK** could let **malicious apps** bypass the **Android security sandbox** and access private data in apps us...

Open Happening

Microsoft classic Outlook Gmail and Yahoo sync disruption

Service Disruption
First: 24.03.2026 17:12 Last: 24.03.2026 17:12 Sources 1

About this happening: The **classic Outlook** synchronization failure affecting **Gmail** and **Yahoo** accounts has been fixed, restoring email access for impacted users. Microsoft said the bug produc...

Open Happening

Timeline

  1. 03.06.2026 17:56 1 articles · 8h ago

    Microsoft patches Microsoft 365 Android token-sharing flaw

    Mitigation Patch Update

    Microsoft issued four CVEs on May 12 for a token-sharing bypass in Microsoft 365 Android apps, covering Microsoft 365 Copilot, Word, PowerPoint, and Excel. The same flaw also affected Loop and OneNote, and the patched Word build for Android was 16.0.19822.20190.

    Show sources
    Open in new tab
  2. 03.06.2026 17:56 2 articles · 8h ago

    Enclave finds token-sharing bypass in Microsoft 365 Android apps

    Initial Disclosure

    Enclave's Yanir Tsarimi and Ofek Levin found that a leftover setIsDebugMode(true) flag in production builds of several Microsoft 365 Android apps skipped the check meant to limit account-token sharing to trusted Microsoft apps. The flaw let another app on the same phone obtain FOCI refresh tokens and use them to read email, open files, browse calendars, and send messages as the signed-in user.

    Show sources
    Open in new tab