A method for exfiltrating sensitive data from AI-powered code execution environments using domain name system (DNS) queries has been demonstrated by security researchers, highlighting potential risks in cloud-based AI tooling.

The Phantom Labs Research report, published on March 16, focuses on AWS Bedrock AgentCore Code Interpreter and shows how attackers could bypass expected network restrictions in Sandbox Mode to retrieve data from cloud resources.

The technique relies on DNS resolution capabilities that remain active even when outbound network connections are otherwise restricted. According to the researchers, this behaviour allows malicious instructions embedded in files to create a covert command-and-control (C2) channel.

How the Technique Works

The attack begins with the creation of a malicious CSV file containing embedded instructions. When an AI agent processes the file and prepares code for execution within the Code Interpreter, the embedded content can influence the generated Python code.

Instead of performing standard analysis tasks, the code may be modified to communicate with an external C2 server via DNS queries. The system polls the server using DNS requests and executes any returned commands.

The researchers demonstrated several capabilities during testing:

• Executing basic commands such as whoami within the sandbox

• Listing available Amazon S3 buckets and their contents

• Extracting full file contents, including credentials, personal data and financial information

Despite these actions, the environment continued to report that network access was disabled.

Ram Varadarajan, CEO at Acalvio, said the findings illustrate a deeper architectural challenge. "AWS Bedrock's sandbox isolation failed at the most fundamental layer, DNS, and the lesson isn't that AWS shipped a bug, it's that perimeter controls are architecturally insufficient against agentic AI execution environments."

Potential Impact on Cloud Environments

The findings also indicate that risks increase when Code Interpreter instances are assigned overly permissive IAM roles. In some configurations, the interpreter may inherit roles designed for other AgentCore services that require broader access.

The default AgentCore Starter Toolkit role, for example, can include wide permissions such as:

• Full access to DynamoDB

• Full access to Secrets Manager secrets

• Read access to all S3 buckets in the account

If attackers can influence code execution within the interpreter, these permissions could enable the discovery and extraction of sensitive information.

"Organizations must understand that the 'Sandbox' network mode in AWS Bedrock AgentCore Code Interpreter does not provide complete isolation from external networks," warned Jason Soroko, senior fellow at Sectigo.

Read more on DNS data exfiltration: DNS Hijacking, A Major Cyber Threat for the UK Government

AWS Response and Security Recommendations

AWS reviewed the research and determined the behaviour reflects intended functionality rather than a vulnerability. Instead of issuing a patch, the company updated its documentation to clarify that Sandbox Mode provides limited external network access and allows DNS resolution.

Because the behaviour is considered intentional, Soroko said organizations must adapt their security approach. "To protect sensitive workloads, administrators should inventory all active AgentCore Code Interpreter instances and immediately migrate those handling critical data from Sandbox mode to VPC mode."

The study highlights a broader challenge as AI systems gain the ability to execute code and interact with infrastructure: without strict permission boundaries and network controls, automated agents may become an unexpected path for data exposure.