Jingle Thief: Cloud-Native Fraud Ring Steals Millions via Microsoft 365 Gift Cards

by ddos · October 26, 2025

The Unit 42 team at Palo Alto Networks has released an in-depth investigation into a new international cybercrime campaign driven by financially motivated actors, codenamed Jingle Thief. Operating out of Morocco, the group specializes in large-scale gift card fraud that intensifies ahead of the holiday season. Its primary targets are major global retailers and consumer service enterprises relying on cloud-based platforms, particularly Microsoft 365.

According to Unit 42, the activity cluster designated CL-CRI-1032 is highly likely linked to the threat actors previously tracked as Atlas Lion and STORM-0539. This group is distinguished by its exceptional persistence within victim environments—maintaining access to corporate clouds for over a year in some cases, carefully studying internal processes and hierarchies to escalate privileges. In the spring of 2025, Jingle Thief conducted a series of coordinated intrusions against multiple international corporations simultaneously.

Following phishing or smishing campaigns, the attackers gained access to Microsoft 365 via stolen credentials and began reconnaissance activities. They explored SharePoint and OneDrive repositories for documents related to gift card issuance, financial workflows, and internal procedures, while also connecting to Exchange and Entra ID. Notably, the group refrained from deploying malware or infecting endpoints—instead, all operations occurred entirely within the cloud, leveraging legitimate services.

Subsequent stages involved the distribution of internal phishing notifications, enabling further account compromise. These messages imitated ServiceNow alerts, IT department requests, or inactivity warnings, directing recipients to counterfeit Microsoft 365 login pages styled to match the organization’s branding. This allowed the attackers to silently expand their foothold, compromising dozens of accounts and maintaining visibility into corporate communications.

One of their key techniques was the creation of hidden email forwarding rules that sent messages to external addresses, enabling passive surveillance of communications regarding the issuance and approval of gift cards. To cover their tracks, the attackers automatically moved sent phishing emails and user replies to the Deleted Items folder, preventing staff from noticing any irregular activity.

For long-term persistence, the group registered its own devices in Entra ID, added fraudulent authenticator applications, and modified passwords through legitimate self-service recovery mechanisms. This ensured resilient access that persisted even after password resets or session revocations. Once entrenched, Jingle Thief turned to its main objective—issuing high-value gift cards, which were rapidly liquidated or used for money-laundering operations.

Gift cards have become an appealing target due to their minimal personal data requirements, difficulty of transaction tracing, widespread corporate usage, and weak internal oversight. On underground markets, such cards are sold at a discount, allowing criminals to quickly monetize stolen assets. Unit 42 observed that in one case, the attackers controlled over sixty corporate accounts within a single global enterprise for nearly ten months, attempting to mass-issue premium gift cards across several loyalty programs.

All identified connections originated from Moroccan IP address ranges associated with MT-MPLS, ASMedi, and MAROCCONNECT. While the group occasionally used Mysterium VPN, it often connected directly—further confirming its geographic origin. Recurrent domain naming patterns and URL structures also point to a unified Moroccan infrastructure.

The Jingle Thief campaign underscores the growing threat of cloud-native attacks, where adversaries exploit legitimate platform functionality rather than compromising endpoints. Such tactics make detection exceedingly difficult and allow intrusions to persist undetected for months.

Unit 42 experts emphasize that defending against these tactics requires continuous behavioral monitoring, analysis of unusual logins and policy changes, and a shift toward identity-centric security. In modern cybersecurity, it is the digital identity—not the network perimeter—that now defines the true boundary of protection.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal