How a Microsoft Defender XDR Error Triggered a Massive Data Leak

Security researchers at ANY.RUN recently uncovered a critical flaw in Microsoft Defender XDR, a leading threat detection platform. The incident exposed over 1,700 confidential business documents from hundreds of companies, raising urgent questions about the reliability of automated security systems.

The False Positive That Started It All

On analyzing a sudden spike in uploads to their public sandbox, ANY.RUN traced the issue back to a misclassification error in Microsoft Defender XDR. The platform incorrectly flagged legitimate Adobe Acrobat Cloud URLs—specifically links starting with acrobat[.]adobe[.]com/id/urn:aaid:sc:—as malicious.

This false positive triggered Defender XDR’s automated response: quarantining files and redirecting them to ANY.RUN’s sandbox for analysis. However, users on the platform’s free tier, which defaults to public sharing, unknowingly exposed sensitive corporate data.

Key Vulnerabilities Exploited

Default Public Sharing: Free-tier users’ analyses were publicly accessible by design.
User Behavior: Panicked employees uploaded flagged documents without reviewing sharing settings.
Compliance Gaps: Many organizations lacked protocols for handling automated security alerts.

The Aftermath: Over 1,700 Documents Exposed

🚨 Important: False positive from MS Defender XDR has led to 1,700+ sensitive docs being shared publicly via #ANYRUN alone.

A couple of hours ago we saw a sudden inflow of Adobe Acrobat Cloud links being uploaded to ANYRUN's sandbox.

After research, we've discovered that… pic.twitter.com/v66AHFMsJN
— ANY.RUN (@anyrun_app) April 24, 2025

The leaked files contained:

Financial records
Intellectual property
Internal communications
Client agreements

ANY.RUN acted swiftly to mitigate damage by converting affected analyses to private mode. Despite this, some users continued uploading sensitive files publicly, compounding the breach.

Why This Incident Matters

Third-Party Risks: Reliance on automated systems can backfire without human oversight.
Compliance Failures: Publicly shared analyses violated GDPR and other data protection laws.
Reputation Damage: Affected companies now face potential lawsuits and client distrust.

Lessons for Enterprises

Audit Automated Systems: Regularly review threat detection rules to avoid false positives.
Enforce Private Analysis: Use business-tier licenses (like ANY.RUN’s enterprise plan) to ensure data privacy.
Train Employees: Teach teams to verify alerts before acting, especially with sensitive data.

Final Takeaway:
Automated tools like Microsoft Defender XDR are invaluable, but human vigilance is irreplaceable. Always pair technology with robust protocols to avoid becoming the next headline.

Share this post

Author

Editorial Team

The Editorial Team at Security Land is comprised of experienced professionals dedicated to delivering insightful analysis, breaking news, and expert perspectives on the ever-evolving threat landscape