An alarming data leak involving Microsoft Defender XDR has exposed more than 1,700 sensitive documents from hundreds of organizations, following a chain reaction triggered by a critical false positive error.
Security researchers at ANY.RUN first identified and reported the incident, highlighting major weaknesses in automated threat detection systems and the risks posed by user behaviors in cloud environments.
How the Leak Happened
The breach began when Microsoft Defender XDR, a leading advanced threat protection solution, erroneously flagged legitimate Adobe Acrobat Cloud URLs—specifically those beginning with acrobat[.]adobe[.]com/id/urn:aaid:sc:—as malicious.
.png
)
According to ANY.RUN’s report, this misclassification led thousands of users to upload their flagged files to ANY.RUN’s online sandbox for malware analysis.
— ANY.RUN (@anyrun_app) April 24, 2025
Important: False positive from MS Defender XDR has led to 1,700+ sensitive docs being shared publicly via #ANYRUN alone.
A couple of hours ago we saw a sudden inflow of Adobe Acrobat Cloud links being uploaded to ANYRUN's sandbox.
After research, we've discovered that… pic.twitter.com/v66AHFMsJN
Crucially, many of these users were on ANY.RUN’s free tier, which defaults to public sharing, meaning uploaded files are indexed and viewable on the wider internet.
As a result, over 1,700 sensitive Adobe files were inadvertently published and made searchable, containing proprietary and confidential data from hundreds of companies.
The incident triggered widespread alarm within the cybersecurity community.
According to ANY.RUN’s analysis shared with Cyber Security News, the uploaded files included confidential documentation, which could potentially lead to privacy breaches, intellectual property loss, or even exploitation by malicious actors.
ANY.RUN acted quickly to mitigate further leaks, moving affected sandbox analyses to private mode to prevent additional exposure.
However, the company cautioned that some users continued to upload sensitive files publicly, compounding the issue. “Always use a commercial license for work-related tasks to ensure privacy and compliance,” ANY.RUN advised.
The leak has reignited debate over the dangers of false positives in security products, particularly in cloud-based environments where sharing and automation are the norm.
As noted by cybersecurity analyst Florian Roth, cloud platforms like Microsoft 365 and AWS are already prime targets for attackers due to limited logging and detection capabilities—making errors like this especially damaging.
Security experts stress the need for balanced detection algorithms that minimize false alarms without missing genuine threats.
The event underscores the vital role of user education, urging organizations and professionals to avoid using free public tools for sensitive corporate tasks and to carefully report false positives directly to vendors like Microsoft for swift resolution.
As cyber threats continuously evolve, the Microsoft Defender XDR false positive leak stands as a stark warning: even trusted security tools can inadvertently cause massive data exposure if not configured and monitored correctly.
Organizations are urged to review their data handling, incident response processes, and reliance on third-party cloud-based tools—especially for handling sensitive information.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
