The dangerous use of tools like ANY.RUN

Posted on 30/08/2025 by Web Admin

ANY.RUN allows users to upload suspicious files and URLs for dynamic analysis. However, unless explicitly set to private or used under a commercial license, these uploads are publicly accessible. This means that anyone browsing the platform can view, download, and analyze the same files—posing serious risks when sensitive or proprietary data is involved.

Example 1: The Microsoft Defender Misfire Incident

In April 2025, a major incident occurred when Microsoft Defender XDR mistakenly flagged legitimate Adobe Acrobat Cloud links as malicious. This led to a flood of uploads to ANY.RUN by users trying to verify the safety of these links.

  • What happened: Over 1,700 Adobe files containing sensitive corporate data were uploaded to ANY.RUN’s public sandbox.
  • Why it mattered: These documents included confidential information from hundreds of companies, such as internal communications, financial records, and intellectual property.
  • ANY.RUN’s response: The platform quickly made these sessions private and issued warnings to users, urging them to use commercial licenses for work-related tasks.

This incident underscores how a simple misclassification by a security tool can trigger a chain reaction, leading to mass data exposure.

Example 2: Misunderstanding Privacy Settings

ANY.RUN’s interface and messaging have occasionally led to confusion among users regarding what is public and what is private.

  • User confusion: Some users believed that creating a free account would automatically keep their uploads private. However, unless explicitly configured, uploads remain publicly visible.
  • Community backlash: Cybersecurity professionals criticized ANY.RUN for unclear messaging, noting that many users were unaware of the public nature of their uploads until it was too late.

This highlights the importance of clear communication from platform providers—and vigilance from users.

Types of Data Commonly Exposed

  • Corporate documents: Internal reports- Corporate documents, strategy documents: Internal reports, strategy documents, and financial statements, and financial statements.
  • Customer data.
  • Customer data: Personally identifiable: Personally identifiable information (PI information (PII), contracts, and support logs. -I), contracts, and support logs.
  • Credentials Credentials: Configuration files: Configuration files containing usernames containing usernames, passwords, or API, passwords, or API keys.
  • Malware samples: Propriet keys.
  • Malware samples: Proprietary or targeted malware used in red teamary or targeted malware operations or threat used in red team operations or threat research.

Mitigation Strategies

To avoid public exposure, users should adopt, users should adopt the following practices the following practices:

  • Use private sessions: Always verify that your verify that your analysis is set analysis is set to private before to private before uploading, or make sure the document isn’t private information.
  • Upgrade to a commercialUpgrade to a commercial license: For professional license: For professional or sensitive work, use a paid plan or sensitive work, use a paid plan that guarantees that guarantees privacy controls privacy controls.
  • Double-check file contents file contents: Before uploading, ensure the file: Before uploading, ensure the file doesn’t contain sensitive data that doesn’t contain sensitive data that could be inadvertently shared.
  • Educ could be inadvertentlyate your team: shared.
  • Educate your team: Make sure everyone understands the Make sure everyone understands the platform’s privacy settings and implications.

Public exposure platform’s privacy settings and implications.

Public exposure on ANY.RUN is not on ANY.RUN is not just a theoretical just a theoretical risk—it has already led to real-world risk—it has already led to real-world data leaks. By understanding data leaks. By understanding how these exposures how these exposures happen and taking happen and taking proactive steps proactive steps, users can harness, users can harness the power of ANY.RUN without compromising security. If you’d the power of ANY.RUN without compromising security. If you’d like, I can walk you through how to safely configure a session or explore like, I can walk you through how to safely configure a session or explore alternative sandboxing tools with stricter privacy controls.

Sources:
https://cybernews.com/security/anyrun-users-leak-sensitive-data-after-microsoft-defender-misfire/
https://cybersecuritynews.com/microsoft-defender-xdr-false-positive-leads-to-massive-data-leak/
https://gbhackers.com/microsoft-defender-xdr-leaked-sensitive-documents/

This entry was posted in 2025. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *