Over 1700 Corporate Documents from Hundreds of Companies Sent for Malware Analysis After MS Defender Flags Safe Adobe Link

• Users of ANY.RUN unknowingly uploaded over 1,700 Adobe documents from hundreds of companies out of suspicion
• This occurred when Microsoft Defender XDR incorrectly flagged an Adobe link as malicious
• Researchers announced making the analysis privately however, users still continue to add files to the publicly accessible sandbox 

After Microsoft Defender XDR, a security tool that filters data from cloud applications, emails, and identity and access management systems mistakenly flagged a link as malicious, over 1700 corporate documents got exposed publicly. 

Malware analysis and threat investigation platform ANY.RUN posted about the corporate data leak stemming from this link being incorrectly marked as malicious: acrobat[.]adobe[.]com/id/urn:aaid:sc: as malicious by MS Defender.

Following this, free plan users of ANY.RUN began uploading Adobe files from over a hundred companies exposing the stored data. Over a thousand Adobe Acrobat Cloud links were uploaded to ANY.RUN’s sandbox for detection purposes.

To prevent further damage, ANY.RUN announced making the analysis private. However, this does not guarantee that users will not upload files publicly making way for data abuse in the hands of threat actors.

We approached ANY.RUN for comments regarding the corporate data leak and a company expert replied saying, “It is virtually impossible to completely eliminate false positives, especially in an era of widespread AI and ML adoption.”

They further shared that it could be reduced through multi-layered verification, and training the models on historical data so it identifies false positives. It would require implementing critically evaluative subsystems.

“It is important to recognize that such cases have occurred, are occurring, and will continue to occur, and the top priority is not just avoiding errors altogether, but minimizing their consequences,” they further added.

There is another concern of relying on automated systems by those who assess the information. Raising concern over the handling of the uploaded information by underqualified personnel, ANY.RUN said, “This is why it is essential not only to improve systems on the technical level but also to invest in training the people who operate them, providing the right tools and education. Cutting costs at this stage directly leads to incidents and data leaks."