A significant data leak involving Microsoft Defender XDR exposed over 1,700 sensitive documents from many organizations, triggered by a critical false positive error.
The incident was first identified by security researchers at ANY.RUN, revealing flaws in automated threat detection systems and the risks of user behavior in cloud environments.
How the Leak Happened
The breach started when Microsoft Defender XDR mistakenly flagged legitimate Adobe Acrobat Cloud URLs (beginning with acrobat[.]adobe[.]com/id/urn:aaid:sc:) as malicious.
According to ANY.RUN, this misclassification caused thousands of users to upload their flagged files to ANY.RUN’s online sandbox for malware analysis.
Many users on ANY.RUN’s free tier, which defaults to public sharing, unknowingly made over 1,700 sensitive Adobe files visible and searchable online, exposing proprietary data from hundreds of companies.
The incident sparked widespread concern within the cybersecurity community.
ANY.RUN’s analysis shared with Cyber Security News revealed that the uploaded files contained confidential documents, risking privacy breaches, intellectual property loss, and exploitation by malicious actors.
ANY.RUN responded quickly by moving the affected files to private mode to prevent further exposure. However, some users continued uploading sensitive files publicly, worsening the issue. ANY.RUN advised using a commercial license for work-related tasks to ensure privacy and compliance.
The leak has reignited concerns over the dangers of false positives in security products, especially in cloud environments where sharing and automation are common.
Cybersecurity analyst Florian Roth pointed out that cloud platforms like Microsoft 365 and AWS are prime targets for attackers due to limited logging and detection, making such errors more damaging.
Experts emphasize the need for detection algorithms that minimize false alarms without missing real threats.
This incident highlights the importance of user education, urging organizations to avoid using free public tools for sensitive tasks and to report false positives directly to vendors for quick resolution.
The leak serves as a warning: even trusted security tools can cause massive data exposure if not properly configured and monitored. Organizations are urged to review their data handling and incident response processes, especially when using third-party cloud tools for sensitive information.
Leave A Comment