Microsoft has patched an authentication token vulnerability in six of its Microsoft 365 apps for Android, closing a security gap that allowed other installed apps to request identity tokens from these applications. The fix, released on May 12, 2026, addresses a production debug setting that was inadvertently left enabled, potentially exposing users to token theft and unauthorized access to Microsoft 365 services.

Security researchers discovered that the flaw stemmed from a debug feature intended for internal testing. When exploited, a malicious app on the same device could leverage this misconfiguration to extract Microsoft Entra ID tokens—used for single sign-on across Office apps—without user interaction. Microsoft’s rapid response underscores the growing challenge of securing mobile productivity suites against local attack vectors.

The Flaw Explained

At the heart of the vulnerability was a debug interface that remained active in the production builds of six Microsoft 365 Android apps. Android’s inter-process communication (IPC) mechanisms, such as Intents and Content Providers, allow apps to share data under strict permissions. A debug setting likely exposed a vulnerable component—such as an improperly secured Content Provider or Service—that other apps could call to retrieve authentication tokens.

Typically, such debug features are stripped or disabled before apps are released to the public. In this case, the setting persisted, creating a pathway for token exfiltration. An attacker could craft a seemingly benign app—perhaps a flashlight or game—and, once installed, silently invoke the exposed interface to capture tokens. These tokens could then be used to access corporate email, files, Teams chats, and other Microsoft 365 resources with the victim’s identity.

Tokens managed by Microsoft Entra ID (formerly Azure Active Directory) carry privileges based on the authenticated user. If successful, an attacker could bypass multi-factor authentication entirely, since the token represents an already-authenticated session. The local nature of the attack limited its scope to device-by-device compromise, but the potential impact on enterprise environments made it critical.

Affected Apps

Microsoft has not publicly disclosed the exact list of the six affected applications. However, based on the description “core Microsoft 365 apps for Android,” they likely include widely used productivity tools such as:

  • Microsoft Outlook
  • Microsoft Teams
  • OneDrive
  • Microsoft Word
  • Microsoft Excel
  • Microsoft PowerPoint

These apps handle sensitive corporate data and all rely on Entra ID tokens for seamless authentication. The omission of specific app names is not uncommon in initial disclosures, as vendors often prefer to emphasize the mitigation rather than draw attention to vulnerable versions. IT administrators should assume that any Microsoft 365 Android app installed before May 12, 2026, may have been affected and verify updates across the entire suite.

Discovery and Disclosure

The vulnerability was uncovered by unnamed security researchers, who reported it privately to Microsoft through its coordinated vulnerability disclosure program. No evidence suggests the flaw was exploited in the wild before the patch. Details of the disclosure timeline remain sparse, but the rapid release of a fix on May 12, 2026—from initial report to patch—suggests a high-severity rating.

The discovery highlights a persistent issue in mobile development: debug code accidentally shipped in production builds. Similar oversights have plagued other major apps, leading to data leaks or privilege escalation. For Microsoft, which has invested heavily in zero-trust and identity protection, the incident serves as a reminder that even mature organizations can overlook mobile app hygiene.

Microsoft’s Response and Patch

Microsoft issued updated versions of the six apps through the Google Play Store on May 12, 2026. The patches remove the debug interface entirely, ensuring that no inter-app token requests can be processed without proper authorization. Because the fix is delivered via standard app updates, no operating system-level changes are required.

No CVE identifier has been assigned publicly at the time of writing, and Microsoft has not published an official security advisory on the Microsoft Security Response Center (MSRC) portal. However, the update notes for the affected apps likely mention “security improvements” or “bug fixes.” IT teams should treat this patch as a top priority, especially for devices containing sensitive enterprise data.

IT Patch Verification Guide

Ensuring that all managed Android devices receive the patched versions immediately is critical. Below are step-by-step verification steps for IT administrators using Microsoft Endpoint Manager (Intune), or similar mobile device management (MDM) solutions.

1. Identify Installed Versions

Check the current version of each Microsoft 365 app on a representative sample of devices. The patched versions were released on May 12, 2026, so any app version dated on or after this date should be secure. To find the version:
- Open the app, go to Settings > About.
- Alternatively, in Android Settings > Apps > [App Name] > Advanced > App details, the version is listed at the bottom of the store listing.

2. Force Update via MDM

In Microsoft Intune:
- Navigate to Apps > All apps and select each Microsoft 365 app.
- Under Properties > Assignments, verify that the app is set to Required for targeted user groups with the Latest update policy.
- If using managed Google Play, enable App auto-updates to ensure patches are installed promptly, even on devices not regularly connected to Wi-Fi.

3. Monitor Compliance

Create a compliance policy that checks for the minimum required version. For example, using Intune’s Device compliance > Custom Compliance, you can query the app version and flag non-compliant devices. This helps enforce block access to Microsoft 365 services until apps are updated.

4. Push Notifications to Users

Send a company-wide communication instructing users to manually update all Microsoft 365 apps from the Google Play Store immediately. Provide direct links:
- Microsoft Outlook
- Microsoft Teams
- OneDrive
- Microsoft Word
- Microsoft Excel
- Microsoft PowerPoint

5. Verify Token Behavior (Post-Patch)

For high-security environments, perform a simple validation test:
- Install a test app on a non-production device that attempts to query the vulnerable interfaces.
- Confirm that the request is denied or that no tokens are returned.
- Alternatively, monitor network logs for any unusual token requests from unauthorized apps.

6. Audit App Permissions

Review the permissions granted to all Microsoft 365 apps. While this vulnerability did not require permission abuse, it’s a good practice to ensure apps have only the necessary permissions. Use Intune’s App protection policies to restrict data sharing and enforce lock-down configurations.

Broader Implications

This incident reinforces the need for rigorous production build audits. Debug flags, logging statements, and test code must be scrubbed before release. For Microsoft, the challenge is magnified by the sheer number of Android devices and OS versions that its apps must support.

Token theft attacks on mobile are particularly dangerous because many organizations treat mobile devices as less critical than desktops, despite their access to the same cloud resources. An attacker with a stolen token can move laterally to cloud services, often bypassing conditional access policies designed to challenge only the initial login.

Enterprise mobile security strategies should now incorporate app-level threat detection capabilities. Solutions that monitor inter-app communication, detect anomalous token usage, and enforce application integrity checks can provide an additional safety net against similar flaws. Microsoft’s own Defender for Cloud Apps and Defender for Endpoint may offer signals that alert on unusual sign-in attempts from mobile devices.

Conclusion

The May 12, 2026 patch eliminates a dangerous debug feature that exposed Microsoft 365 Android users to local token theft. IT administrators must act swiftly to update all six apps across their fleets and verify deployment. While Microsoft’s fix is straightforward, the vulnerability underscores the importance of treating mobile apps with the same security scrutiny as server endpoints.

Going forward, organizations should demand greater transparency from vendors about production build configurations and adopt zero-trust principles that continuously validate every access request, regardless of the device. The token age is far from over—but neither is the need for constant vigilance.