Microsoft 365 Android Apps Let Any App Steal Account Tokens via Leftover Debug Flag

Multiple Microsoft 365 Android apps (Word, PowerPoint, Excel, Microsoft 365 Copilot, Loop, and OneNote) shipped with a development flag that disabled the check limiting account-token sharing to trusted apps, allowing any malicious app on the same device to request and receive FOCI tokens and access email, files, calendar, and messages without authentication. Enclave produced a proof-of-concept, Microsoft issued CVEs and patches (patched builds available via Google Play), and recommended updating affected apps, pushing updates via MDM, and revoking refresh tokens for devices that ran affected builds alongside untrusted apps.