Microsoft Defender XDR False Positive Leaked Massive 1,700+ Sensitive Documents to Publish

An alarming data leak involving Microsoft Defender XDR has exposed more than 1,700 sensitive documents from hundreds of organizations, following a chain reaction triggered by a critical false positive error.

Security researchers at ANY.RUN first identified and reported the incident, highlighting major weaknesses in automated threat detection systems and the risks posed by user behaviors in cloud environments.

How the Leak Happened

The breach began when Microsoft Defender XDR, a leading advanced threat protection solution, erroneously flagged legitimate Adobe Acrobat Cloud URLs—specifically those beginning with acrobat[.]adobe[.]com/id/urn:aaid:sc:—as malicious.

According to ANY.RUN’s report, this misclassification led thousands of users to upload their flagged files to ANY.RUN’s online sandbox for malware analysis.

🚨 Important: False positive from MS Defender XDR has led to 1,700+ sensitive docs being shared publicly via #ANYRUN alone.

A couple of hours ago we saw ...