Executive Summary

The “Jingle Thief” campaign represents a highly sophisticated, financially motivated cybercrime operation that leverages cloud-native attack vectors to compromise enterprise environments, specifically targeting global retail and consumer services organizations with significant gift card operations. Attributed to Morocco-based threat actors tracked as CL-CRI-1032 (overlapping with Atlas Lion and STORM-0539), this campaign exploits weaknesses in Microsoft 365 cloud infrastructure, using advanced social engineering, credential theft, and abuse of identity and access management features to gain and maintain persistent access. The attackers have demonstrated the ability to dwell undetected within victim environments for up to a year, systematically issuing fraudulent gift cards and causing multi-million dollar losses. The campaign is notable for its exclusive use of cloud-native techniques, eschewing traditional malware in favor of abusing legitimate cloud services, which significantly complicates detection and response efforts.

Threat Actor Profile

The threat actors behind Jingle Thief are a well-organized, financially motivated group operating primarily out of Morocco. Tracked by multiple vendors as CL-CRI-1032 (Unit 42), Atlas Lion, and STORM-0539 (Microsoft), this cluster has a history of targeting retail and consumer services sectors, with a particular focus on organizations that issue or manage large volumes of gift cards. The group is characterized by its deep understanding of cloud identity systems, its ability to craft highly convincing phishing and smishing lures, and its operational security, including the use of Moroccan and U.S.-based infrastructure to obfuscate attribution. The actors are known to time their operations around holidays and periods of reduced staffing, maximizing the impact and minimizing the likelihood of rapid detection.

Technical Analysis of Malware/TTPs

The Jingle Thief campaign is distinguished by its exclusive reliance on cloud-native tactics, techniques, and procedures (TTPs), with no deployment of traditional malware. The attack lifecycle begins with highly targeted phishing and smishing campaigns, leveraging self-hosted PHP mailer scripts on compromised WordPress servers to deliver lures that mimic legitimate Microsoft 365 login portals. These lures are crafted using detailed intelligence on the target’s branding, login workflows, and internal communication styles, often incorporating real employee names and roles to increase credibility.

Upon successful credential harvesting, the attackers immediately access the victim’s Microsoft 365 environment, conducting reconnaissance across SharePoint, OneDrive, Exchange Online, and Microsoft Entra ID (formerly Azure Active Directory). Their primary objective is to identify gift card issuance workflows, ticketing system exports, VPN configuration guides, and spreadsheets or tools related to gift card management. This reconnaissance is performed using legitimate cloud APIs and interfaces, making it difficult to distinguish from normal user activity.

Lateral movement is achieved through internal phishing, where compromised accounts are used to send additional phishing emails to colleagues, often masquerading as IT notifications or ServiceNow alerts. The attackers do not deploy malware; instead, they rely on credential theft and the abuse of cloud-native features to expand their foothold.

Persistence is established through the creation of malicious inbox rules that forward emails related to gift card approvals and financial workflows to attacker-controlled accounts. The attackers also manipulate mailboxes by moving sent phishing emails and replies to the Deleted Items folder, reducing the likelihood of detection by security teams. Critically, they register rogue devices and authenticator applications within Microsoft Entra ID, enabling them to bypass multi-factor authentication (MFA) and maintain access even after password resets.

Monetization is achieved by issuing high-value gift cards, which are then resold on gray markets or used for money laundering. The attackers are adept at timing their operations to coincide with holidays and periods of reduced staffing, increasing the likelihood of successful fraud and delayed detection.

Exploitation in the Wild

The Jingle Thief campaign has been observed in the wild with dwell times of up to 10 months within a single enterprise environment, compromising over 60 user accounts in some cases. The attackers’ use of cloud-native techniques allows them to operate with a high degree of stealth, as no malware is deployed and all activity occurs within legitimate cloud services. This approach significantly complicates detection, as traditional endpoint security solutions are largely ineffective against these tactics.

Attackers have been observed aligning their activity with holiday periods, exploiting reduced staffing levels to maximize financial gain. Gift cards issued fraudulently are quickly monetized through resale on gray markets and are also used as instruments for money laundering. The campaign has resulted in millions of dollars in losses for affected organizations, with the true scale of the impact likely underreported due to the stealthy nature of the attacks.

Victimology and Targeting

The primary victims of the Jingle Thief campaign are large retail and consumer services organizations with significant gift card operations. The attackers demonstrate a clear preference for enterprises that issue or manage high volumes of gift cards, as these present lucrative opportunities for fraud. While the campaign is global in scope, the attacker infrastructure is predominantly based in Morocco, with additional use of U.S.-based proxy or compromised hosts to further obfuscate their origin.

Victim organizations typically exhibit the following characteristics: extensive use of Microsoft 365 cloud services, reliance on internal workflows for gift card issuance and approval, and insufficient monitoring of cloud identity and access management activities. The attackers exploit these weaknesses to gain initial access, conduct reconnaissance, and maintain persistence, often remaining undetected for extended periods.

Mitigation and Countermeasures

To defend against the Jingle Thief campaign and similar cloud-native threats, organizations should implement a multi-layered security strategy focused on identity protection, cloud monitoring, and user education. Enforcing strong multi-factor authentication (MFA) is critical, but organizations must also monitor for rogue device registrations and unauthorized authenticator applications within Microsoft Entra ID. Regular audits of cloud access logs are essential to detect anomalous logins, particularly from Moroccan IP addresses or unfamiliar autonomous system numbers (ASNs).

Security teams should monitor for the creation of suspicious inbox rules and mailbox manipulation activities, such as the movement of sent messages to Deleted Items. User education campaigns should emphasize the risks of phishing and smishing, with particular attention paid to periods of increased attacker activity, such as holidays. Limiting internal permissions for gift card issuance systems and closely monitoring for unusual activity can further reduce the attack surface.

Organizations are encouraged to leverage advanced security analytics platforms capable of detecting cloud-native threats, such as Cortex XDR/XSIAM, which can generate alerts for activities including the configuration of inbox forwarding rules, anomalous SSO access, and massive file downloads from SaaS services. Incident response plans should be updated to account for cloud-native attack vectors, and regular tabletop exercises should be conducted to ensure readiness.

References

Palo Alto Networks Unit 42: Jingle Thief Campaign Microsoft: Into the Lion’s Den (PDF) Intel471: Threat Actors Target Gift Card Issuing Systems The Hacker News: Jingle Thief Hackers Exploit Cloud Infrastructure

About Rescana

Rescana is a leader in third-party risk management (TPRM), providing organizations with a comprehensive platform to assess, monitor, and mitigate cyber risks across their extended supply chain. Our platform leverages advanced analytics and threat intelligence to deliver actionable insights, enabling security teams to proactively identify and address vulnerabilities before they can be exploited by adversaries. We are committed to empowering our customers with the tools and intelligence needed to defend against the evolving threat landscape.

For further information or to discuss this report, we are happy to answer questions at ops@rescana.com.

Prepared for Rescana customers. This report is based solely on open-source and vendor-published intelligence as of October 2025.