A development flag left switched on in production builds of
several Microsoft 365 Android apps disabled the check that limits
account-token sharing to trusted Microsoft apps. Any other app on
the same phone could ask for the signed-in user's token and get it,
then read email, open files, browse the calendar, and send messages
as that user. No password, no login screen, no permission
prompt.
Read more https://thehackernews.com/2026/06/microsoft-365-android-apps-let-any-app.html
