[German]Once again, there has been a serious "rattle". Microsoft Defender XDR has incorrectly classified Adobe Acrobat Cloud links as "malicious". As a result, thousands of Adobe users suddenly had more than 1,700 sensitive documents checked on the AnyRun online platform. The documents uploaded to AnyRun by Freeplan users were subsequently made public. This is particularly good for sensitive documents when they become public.
Microsoft Defender XDR
Microsoft Defender XDR is a coordinated threat protection solution for protecting devices, identities, data and applications. Microsoft states that this XDR platform provides security for endpoints, hybrid identities, email, collaboration tools and cloud apps across multiple platforms.
Defender XDR false positive and the consequences
A few hours ago, Microsoft Defender XDR appears to have triggered a false positive for Adobe Acrobat and Adobe Acrobat Cloud links. This had unexpected consequences, as the security provider AnyRun writes.
On the AnyRun platform, documents can be opened online in a sandbox and checked for malicious content. A few hours ago, the operators of AnyRun saw a sudden increase in Adobe Acrobat Cloud links uploaded to the ANYRUN sandbox.
When the operators investigated, it became clear that Microsoft Defender XDR had incorrectly classified the cloud link acrobat[.]adobe[.]com/id/urn:aaid:sc: as malicious (false positive).
This became a problem because users suddenly had the idea of uploading Adobe Acrobat Cloud links to the ANYRUN sandbox. Specifically, ANYRUN states that more than 1,700 sensitive Adobe Acrobat documents were uploaded to the sandbox for analysis within a short period of time.
The problem caused by the "false positive" alert from Microsoft Defender XDR is that the PDF documents uploaded to ANYRUN for analysis via Adobe Acrobat Cloud links become public to Freeplan users. As a result, more than a thousand Adobe files containing sensitive corporate data from hundreds of companies became public through this analysis.
The ANYRUN operators have reacted and set all these analyses to private to prevent data leaks. However, users continue to share confidential Adobe documents publicly via the ANYRUN analysis.
The ANYRUN operators advise all users to always use a commercial ANYRUN license for work-related tasks to ensure data protection and compliance with regulations.
Note: If users from Europe had such Adobe Cloud links checked in ANYRUN and (Adobe Acrobat) documents with personal data were uploaded as a result, this would be a reportable GDPR incident.
