When AI Sandboxes Leak and Exchange Goes Dark: This Week’s Security Reality Check

You know those weeks where everything seems to happen at once? This is one of them. While Microsoft users were locked out of their mailboxes yesterday, researchers discovered that AWS’s AI tools have a data exfiltration problem, and somewhere in Asia, state-sponsored hackers are playing the longest game imaginable.

Let me walk you through what caught my attention this week and why these incidents matter more than the usual security news cycle suggests.

The Exchange Outage That Reminded Us About Single Points of Failure

Microsoft Exchange Online went down yesterday, leaving countless organizations unable to access email and calendars. Microsoft is working to address the outage, but here’s what really gets me: how many companies discovered they had no backup communication plan?

I’ve been in those emergency calls where everyone’s trying to coordinate incident response through personal phones and Slack DMs because corporate email is toast. It’s chaos, and it highlights something we don’t talk about enough – our over-reliance on single vendors for critical business functions.

This isn’t just about having a backup email provider (though that’s not a bad idea). It’s about understanding that when you move everything to the cloud, you’re essentially betting your business continuity on someone else’s infrastructure. That bet usually pays off, but when it doesn’t, you better have a plan.

AI Security Gets Real: AWS Bedrock’s DNS Problem

Here’s where things get technically interesting. Security researchers found a flaw in AWS Bedrock’s Code Interpreter that lets attackers use DNS queries to exfiltrate data from AI sandboxes.

Think about this for a second. We’re putting sensitive data into AI systems, assuming they’re properly sandboxed, and it turns out there’s a way to leak that information through DNS requests. It’s elegant in that terrifying way that makes you appreciate creative attackers while simultaneously wanting to audit every AI tool your organization uses.

This vulnerability in AWS Bedrock AgentCore is particularly concerning because DNS-based exfiltration is notoriously hard to detect. Most organizations aren’t closely monitoring DNS traffic for data leakage patterns, and even if they are, it’s easy to miss among the noise of legitimate requests.

The Social Engineering Evolution: LiveChat as Attack Vector

Meanwhile, attackers are getting creative with social engineering. There’s a campaign running right now that impersonates PayPal and Amazon through LiveChat interactions to steal credit card information and personal data.

What makes this particularly nasty is how it exploits our trust in customer support channels. When someone reaches out through what appears to be legitimate customer service, our guard naturally comes down. We’re trained to be suspicious of emails and phone calls, but a chat session on what looks like Amazon’s website? That feels safe.

The attackers are patient too. They’re not rushing to collect information – they’re having full conversations, building rapport, making it feel like genuine customer service. It’s social engineering at its most refined.

The Patient Game: China-Linked Military Espionage

Speaking of patience, there’s a China-linked espionage operation targeting Asian military organizations that’s been flying under the radar for months. These attackers deployed custom tools and then went dormant, waiting for the right moment to act.

This is state-sponsored hacking at its most sophisticated. We’re not talking about quick smash-and-grab operations. These groups establish persistent access and then wait – sometimes for months – before making their move. They understand that the longer they stay quiet, the more likely they are to avoid detection.

For those of us defending corporate networks, this should be sobering. If military-grade security can be compromised by patient attackers, what does that mean for our quarterly penetration tests and annual security reviews? We need to assume that sophisticated attackers are already inside our networks and focus on detection and response, not just prevention.

The Validation Problem We’re All Facing

This brings me to something that’s been bothering me about our industry. We have all these security tools – vulnerability scanners, penetration testing platforms, breach and attack simulation tools – but they don’t talk to each other. Each gives us a piece of the puzzle, but none of them provides the complete picture.

The move toward “agentic” security validation makes sense when you think about it. We need systems that can coordinate these different tools, correlate their findings, and give us actionable intelligence instead of just more alerts to triage.

What This All Means for Us

Looking at these incidents together, I see a pattern. The threat landscape isn’t just getting more complex – it’s getting more patient and more creative. Attackers are willing to wait months for the right opportunity, they’re exploiting our trust in customer service interactions, and they’re finding ways to extract data from systems we thought were secure.

At the same time, our defensive tools are becoming more sophisticated, but they’re not keeping pace with the coordination and patience we’re seeing from attackers. We need to think differently about security validation, incident response, and business continuity planning.

The good news? Awareness is the first step. When we understand how these attacks work and where our blind spots are, we can start building better defenses.

Sources

• Microsoft Exchange Online outage blocks access to mailboxes
• Attackers Abuse LiveChat to Phish Credit Card, Personal Data
• Security Flaw in AWS Bedrock Code Interpreter Raises Alarms
• China-Linked Hackers Hit Asian Militaries in Patient Espionage Operation
• Why Security Validation Is Becoming Agentic