San Francisco — A new wave of identity-driven cybercrime is reshaping how financial fraud operates online. According to a new report by Unit 42, Palo Alto Networks’ threat intelligence arm, a Morocco-based group dubbed “Jingle Thief” has been quietly infiltrating cloud infrastructures at global retailers to steal and issue gift cards worth millions of dollars.
Unlike traditional malware-driven heists, Jingle Thief operates entirely within Microsoft’s cloud environment. The attackers rely on phishing and smishing to harvest employee credentials, gaining access to Microsoft 365 accounts. From there, they move laterally through SharePoint, OneDrive, and Exchange, staying embedded for months.
In one case, Unit 42 observed the group maintaining persistence for nearly 10 months, compromising over 60 accounts within a single enterprise without triggering conventional endpoint alarms.
FCRF Launches CCLP Program to Train India’s Next Generation of Cyber Law Practitioners
The Anatomy of the Attack: Phish, Persist, and Profit
Once the attackers infiltrate an organization, they conduct extensive cloud reconnaissance, scanning internal documentation for gift-card workflows, vendor details, and issuance protocols. Using legitimate cloud tools, they impersonate employees, send internal phishing emails, and create Exchange inbox rules to silently monitor communications.
They even move phishing emails and replies to “Deleted Items” to conceal their presence. To maintain control, they register rogue authenticator apps and fake devices through Microsoft Entra ID, enabling multi-factor authentication bypass and long-term access.
“These actors operate with the patience of insiders,” the report notes. “They adapt, learn corporate systems, and persist using legitimate identity features—making detection extremely difficult.”
Unit 42 tracks this activity cluster as CL-CRI-1032, overlapping with groups publicly identified as Atlas Lion and STORM-0539. The same infrastructure—linked to Moroccan ASNs like MT-MPLS, ASMedi, and MAROCCONNECT—has been active since 2021.
Gift Cards: The Perfect Digital Laundering Tool
The ultimate goal of the Jingle Thief campaign is simple: convert stolen access into untraceable cash. Gift cards serve as the ideal vehicle for this transformation.
They are easy to redeem, hard to trace, and accepted globally—making them a favorite among cybercriminals for low-risk money laundering. Once unauthorized cards are issued, they’re quickly resold at discounts on dark web and grey-market platforms.
“Gift cards combine stealth, speed, and scale,” said a Unit 42 analyst. “They bridge the gap between cyber theft and instant liquidity.”
During festive seasons, the attackers ramp up activity, knowing that staffing shortages and high transaction volumes make fraud easier to conceal.
The Cloud as a Crime Scene
The Jingle Thief campaign underscores a growing shift: the cloud is now the new battleground for cybercrime. By exploiting trusted applications like Microsoft 365, threat actors no longer need malware or ransomware payloads—they weaponize legitimate business processes.
In several incidents, Jingle Thief operators gained administrative-level visibility into email and file systems. They then issued gift cards from within legitimate systems, erasing digital traces through manipulated audit logs and mailbox rules.
Unlike ransomware, which relies on visibility and shock, this campaign thrives on silence and invisibility. Its operations are low-noise, high-profit, and primarily identity-driven.
Defenders’ Challenge: Identity Is the New Perimeter
Unit 42’s findings reinforce a growing industry reality: protecting user identity is now central to cybersecurity.
To counter similar attacks, experts recommend:
Restricting self-service authenticator setup and device enrollment.
Monitoring “first-seen country” logins, impossible travel events, and new device registrations.
Enforcing number-matching MFA and conditional access policies based on device compliance.
Locking down gift-card issuance systems with least privilege and dual-approval workflows.
Using User and Entity Behavior Analytics (UEBA) to spot anomalies in identity use.
“Identity is the new firewall,” said Trevor Wistaff, Chief Product Officer at Zepto. “Once credentials are compromised, the attacker becomes you.”
Unit 42 recommends Cortex Advanced Email Security, UEBA, and ITDR modules for early detection.
The Broader Implication
The exposure of Jingle Thief highlights the convergence of cybercrime and financial fraud. By blending phishing precision, cloud infiltration, and money-laundering tactics, these attackers blur the line between IT compromise and white-collar theft.
Palo Alto Networks has shared the findings with global members of the Cyber Threat Alliance (CTA) to accelerate threat disruption and collective defense.
“This campaign is not about breaking systems—it’s about bending trust,” said a Unit 42 spokesperson. “And as long as organizations treat cloud identity as an administrative formality, criminals will treat it as an opportunity.”
