Overview
Jingle Thief targets cloud environments at retailers and consumer-services firms to run large-scale gift-card fraud. Moreover, Unit 42 researchers Stav Setty and Shachar Roitman provide technical details here. Once inside a tenant, the crew seeks the exact access needed to issue unauthorized gift cards. Consequently, victims face rapid financial losses and complex investigations.
Who They Are
Investigators link the cluster (CL-CRI-1032) to Atlas Lion and Storm-0539. In addition, Microsoft describes the group as financially motivated and likely based in Morocco. Notably, activity has continued since at least late 2021.
Why Gift Cards
Gift cards appeal to the actors for several reasons. First, they convert to cash quickly and at scale. Second, buyers redeem them with minimal personal data. Finally, they leave limited and fragmented trails, which complicates response.
Recent Campaigns
Unit 42 observed coordinated waves in April and May 2025. Specifically, the operators used phishing to steal credentials and breach cloud infrastructure. In one case, they kept access for about ten months and compromised 60 user accounts in a single organization. As a result, the intruders operated quietly while escalating privileges.
Attack Flow
- First: They run external reconnaissance. Then they send well-crafted phishing or smishing messages that mimic Microsoft 365 sign-ins.
- Next: After harvesting credentials, they log in immediately and perform a second round of recon.
- Afterward: They enumerate SharePoint and OneDrive for business processes, finance docs, and IT workflows.
- Meanwhile: They pivot across the tenant and seek roles that control issuance systems.
- Subsequently: They access gift-card issuance apps and create high-value cards across multiple programs.
- Finally: They minimize logs and forensic artifacts to hinder response and delay detection.
Tactics for Persistence and Evasion
- Internal phishing: Additionally, they send convincing internal emails that mimic IT notices or ticket updates.
- Email rules: Moreover, they create inbox rules to auto-forward mail to attacker-controlled addresses and move sent items to Deleted Items.
- MFA bypass: In some cases, they register rogue authenticator apps or enroll attacker devices in Entra ID. Consequently, they can persist even after password resets or token revocations.
- Identity over malware: Furthermore, they favor account abuse over custom payloads, thus reducing detection likelihood.
What They Look For
During exploration, the intruders search for documentation and access paths. For example, they hunt for:
- Gift-card issuance workflows and internal runbooks.
- VPN configurations and access guides.
- Spreadsheets or portals that issue or track gift cards.
- Details on virtual machines and Citrix environments.
Key Takeaway
In summary, gift-card fraud thrives on stealth, speed, and scale—especially inside cloud environments that host issuance workflows. Therefore, organizations should harden Microsoft 365 identity paths, restrict issuance permissions, and monitor for suspicious mailbox rules and device enrollments.
Research Notes
As the researchers noted, “Jingle Thief attackers use phishing and smishing to steal credentials, to compromise organizations that issue gift cards.” Likewise, “this discreet approach helps evade detection while laying the groundwork for future fraud.”
