Swati KhandelwalJun 03, 2026Vulnerability / Mobile Security

A development flag left switched on in production builds of several Microsoft 365 Android apps disabled the check that limits account-token sharing to trusted Microsoft apps.

Any other app on the same phone could ask for the signed-in user's token and get it, then read email, open files, browse the calendar, and send messages as that user. No password, no login screen, no permission prompt.

Microsoft has patched it, and if you run Microsoft 365 apps on Android, update them.

The bug, which Enclave calls FlagLeft, hit Word, PowerPoint, Excel, Microsoft 365 Copilot, Microsoft Loop, and OneNote, six apps with billions of downloads between them. Teams shipped with the same flag set to false and were not affected, which Enclave reads as a slip rather than a design.