Microsoft 365 Android Token Theft: What the Debug-Flag Flaw Means for DoD STIG Readiness
A leftover development flag in production Microsoft 365 Android apps silently disabled token-sharing controls — here is what STIG-aligned organizations must do right now.
Published 2026-06-04
# Microsoft 365 Android Token Theft: What the Debug-Flag Flaw Means for DoD STIG Readiness
The Hacker News has reported that several Microsoft 365 Android apps shipped with a development debug flag left enabled in production builds, allowing any app on the same device to silently request and receive a signed-in user's authentication token — no password, no login prompt, no permission dialog required.
What Happened
The debug flag in question disables the trust boundary that normally restricts account-token sharing to verified Microsoft apps. With that check bypassed, a malicious or compromised app already installed on the same Android device can request the token and immediately access the victim's email, calendar, files, and send messages — all while appearing to be the legitimate user. The attack surface is every Android device running an affected Microsoft 365 app while any untrusted app is co-installed. No elevated privilege or user interaction is required after the initial app installation.
Why This Matters for DoD STIG and ACAS / SCAP Programs
For organizations operating under DoD STIG (Security Technical Implementation Guide) requirements, this issue maps directly to several high-priority control areas:
- STIG Mobile Device Management controls require that applications distributed to government-managed endpoints enforce authentication boundaries and do not expose credentials or tokens to unauthorized parties. A debug flag that strips that boundary is a textbook configuration-compliance failure.
- ACAS (Assured Compliance Assessment Solution) and SCAP (Security Content Automation Protocol) scans check for known-bad application configurations on managed endpoints. A production app with an active debug flag is precisely the class of finding these tools are designed to surface — yet most ACAS scan profiles target OS-level and network-layer findings, meaning this app-layer control failure may pass automated checks while the risk is live.
- From a severity perspective, the ability for an unprivileged app to harvest valid OAuth tokens and access cloud productivity data without user interaction warrants a Category II (severity 4/5) classification under the STIG framework — a finding that must be remediated or formally accepted within defined timelines.
- Any organization subject to CMMC Level 2 or Level 3, FedRAMP Moderate/High, or DISA cloud-authorization requirements inherits an obligation to track and remediate this class of application misconfiguration on every enrolled mobile endpoint.
What You Should Do in the Next 7–30 Days
Immediate (days 1–7):
- Audit enrolled Android devices via your MDM (Microsoft Intune, VMware Workspace ONE, etc.) to identify the version of every Microsoft 365 Android app installed across the fleet.
- Apply any available vendor patch or update immediately. If a patch is not yet available, evaluate whether to block the affected app versions using MDM app-allow-list policies.
- Open a formal POAM (Plan of Action and Milestones) entry if full remediation cannot be completed within your STIG-mandated window.
Short-term (days 8–30):
- Update your ACAS / SCAP scan policy to include app-layer token-handling checks for mobile endpoints — most default SCAP benchmarks do not cover this.
- Review your mobile application vetting process to require that vendors attest no debug flags are present in production builds before an app is approved for DoD or FedRAMP-boundary deployment.
- Perform a lateral-movement exercise to determine which data repositories are reachable via a compromised M365 token in your specific environment.
- Document remediation evidence for your next Authorization to Operate (ATO) review.
Start Your Free Trial of RDS GoSOC AI
RDS GoSOC AI maps findings like this one across 16 frameworks simultaneously — including DoD STIG, ACAS alignment, CMMC, and FedRAMP — so your team sees the full compliance blast radius the moment a new advisory drops. Start your 14-day free trial at platform.reremrdsgosoc.com/register. Every paid feature is unlocked from day one, no credit card required. Once you're inside, open the User Guide tab to orient quickly, and ask Sage, the in-app AI assistant, to walk you through mapping this token-theft scenario to your specific STIG checklist and ACAS scan gaps.