A disabled security setting meant to protect authentication across Android versions of key apps like Word, PowerPoint, and Excel paved the way for attackers to steal logins and data.
June 3, 2026
A coding mistake in several Microsoft 365 Android applications resulted in the exposure of user accounts to compromise at massive scale, demonstrating once again how dropping the ball on securing authentication tokens can undermine an entire trust model.
Researchers at Enclave discovered a vulnerability in a debug setting that was mistakenly left enabled in production releases of multiple Microsoft Android apps, including Excel, Word, PowerPoint, OneNote, Loop, and Microsoft 365 Copilot, according to a blog post published Tuesday.
"A test setting was left turned on in six Microsoft apps on Android phones: Word, OneNote, PowerPoint, Excel, Loop and 365 Copilot," Enclave co-founder and chief product officer Yanir Tsarimi explains to Dark Reading. "That setting was meant to stop other apps from grabbing your login."
