Coding Gaffe Exposes Microsoft 365 Android Apps, Potentially Compromising Millions of Accounts
What Happened — A disabled security setting in the Android versions of Microsoft Word, PowerPoint, and Excel bypassed authentication checks, allowing threat actors to harvest user credentials and take over Microsoft 365 accounts. The flaw could be leveraged at scale across any organization that permits mobile Office app usage.
Why It Matters for TPRM —
- Credential theft from a core productivity suite can cascade to other SaaS services via single sign‑on.
- The mobile app attack surface is often overlooked in vendor risk assessments.
- Large, distributed workforces increase the likelihood of widespread exposure.
Who Is Affected — Enterprises across all sectors that rely on Microsoft 365 (healthcare, finance, education, government, retail, etc.) and enable the Android Office apps for employees.
Recommended Actions —
- Immediately verify that the security flag is enabled on all Microsoft 365 mobile clients; apply any patches Microsoft releases.
- Enforce multi‑factor authentication (MFA) for all Microsoft 365 accounts.
- Monitor sign‑in logs for anomalous activity and enforce conditional access policies that restrict risky locations or devices.
- Update third‑party risk questionnaires to include mobile‑app security controls.
Technical Notes — The vulnerability originated from a disabled “App Authentication” configuration that should have enforced token validation, effectively allowing credential replay. No CVE has been assigned yet. Exposed data includes usernames, passwords, and potentially corporate documents accessed through the compromised apps. Source: Dark Reading