Skip to content
Tech News
← Back to articles

Coding Gaffe Exposes Microsoft 365 Accounts to Widespread Takeover

2026-06-03 | original
read original get Microsoft 365 Security Kit → more articles
Why This Matters

A critical coding error in Microsoft 365 Android apps left authentication controls disabled, exposing millions of user accounts to potential takeover. This incident highlights the importance of rigorous security testing and the risks of overlooked debug settings in production releases, emphasizing the need for robust app security practices in the tech industry. Consumers and organizations must remain vigilant about app security updates and potential vulnerabilities.

Key Takeaways

A coding mistake in several Microsoft 365 Android applications resulted in the exposure of user accounts to compromise at massive scale, demonstrating once again how dropping the ball on securing authentication tokens can undermine an entire trust model.

Researchers at Enclave discovered a vulnerability in a debug setting that was mistakenly left enabled in production releases of multiple Microsoft Android apps, including Excel, Word, PowerPoint, OneNote, Loop, and Microsoft 365 Copilot, according to a blog post published Tuesday.

"A test setting was left turned on in six Microsoft apps on Android phones: Word, OneNote, PowerPoint, Excel, Loop and 365 Copilot," Enclave co-founder and chief product officer Yanir Tsarimi explains to Dark Reading. "That setting was meant to stop other apps from grabbing your login."

The setting's disengagement effectively disabled a security control responsible for ensuring that only trusted Microsoft applications could receive authentication tokens from other Microsoft apps on the device. This feature allows users to log in across the apps, which makes sense if there is a secure handoff in the trust relationship of these apps.

Related:Malicious Notifications Could Trick Google Gemini Users

Cross-Application Insecurity from Auth Tokens

According to Enclave, not only was the necessary authorization check protecting this exchange of data disabled in the Android apps, but the access to data also could be replicated across multiple Microsoft apps because the vulnerable code was inside a shared Microsoft software development kit (SDK).

With the protection bypassed, any Android app capable of requesting a token could potentially obtain Microsoft authentication credentials, Tsarimi explains.

This set up an exploit scenario in which "any other app on your phone could ask for your Microsoft login and get it," he says. "With all six, an attacker could read your email messages. With some, they could also send email messages, read your Teams messages, or open your files."

The issue demonstrates how "one tiny change" in the development process "can cause a big security problem," Tsarimi notes. "Here, flipping one setting from off to on was enough," he says, adding that development teams "can't let small mistakes like that slip by."

... continue reading

Explore topics: microsoft 365 android apps enclave authentication tokens microsoft copilot
Related:
I tested Microsoft Copilot Health with my real medical records - here's my verdict
I paid Microsoft's premium Copilot agents to do my work - they were confidently bad at it
Microsoft took OpenClaw, wrapped it in enterprise security, and called it Scout
PSA: Those using older Macs and iPhones won’t be able to create or edit Office docs
FBI-Flagged Phishing Kit Kali365 Expands Its Reach

© 2026 GoKawiil

About | Editorial Policy | Contact