“Jingle Thief” Hackers Exploit Cloud Systems for Gift Card Fraud

Cybercriminals operating under the moniker ‘Jingle Thief’ have been orchestrating a widespread cloud-based fraud campaign targeting retail and consumer enterprises. The attackers steal credentials to gain access to cloud environments through phishing and smishing tactics, where they execute prolonged operations aimed at issuing and monetizing unauthorized gift cards.

According to research by Palo Alto Networks’ Unit 42, Jingle Thief is believed to be associated with financially motivated threat groups like Atlas Lion and Storm-0539.

Their campaigns are particularly active during festive periods and capitalize on heightened retail activity to issue high-value gift cards with minimal forensic trails.

Why It Matters: Jingle Thief’s tactics evolve cyber fraud by using cloud-native strategies rather than malware to exploit enterprise systems. By focusing on identity misuse and exploiting cloud workflows, the group has achieved scalable fraud while remaining under the radar, threatening enterprise security and retail operations during peak commercial seasons.

• Cloud-Based Reconnaissance Enables Fraud Operations: After compromising cloud accounts, Jingle Thief conducts a multi-phase internal exploration of Microsoft 365 environments, including SharePoint, OneDrive, and email systems. Their goal is to identify documentation and processes tied to gift card issuance, financial operations, and IT infrastructure. This intelligence-gathering phase allows the attackers to understand exactly how gift cards are generated and approved, enabling low-noise fraud that mimics legitimate behavior.

• Credential Theft Begins with Social Engineering: The attack chain starts with individualized phishing or smishing campaigns. Victims are lured into entering credentials on fake Microsoft 365 login pages, often sent via emails or texts that convincingly imitate internal communications. These messages frequently reference ticketing systems or account issues to induce urgency. By the time victims recognize the fraud, attackers have already established access and begun lateral movement.

• Exploiting Identity Features and MFA Workarounds: Once inside, the attackers take multiple steps to maintain long-term access. This includes registering rogue authenticator apps to bypass MFA, forwarding internal emails using hidden inbox rules, and even enrolling their own devices into Entra ID (formerly Azure AD). These methods allow Jingle Thief to remain active in the environment even after passwords are reset or session tokens are revoked. This often extends their presence for months undetected.

• Internal Phishing Extends Reach Across the Organization: Using access to compromised accounts, the attackers initiate secondary phishing waves targeting other employees. These internal messages often appear even more credible than external phishing attempts by mimicking real IT notifications and leveraging language or formats gleaned from internal documents. This internal spear-phishing approach helps them scale access across departments, primarily toward users with gift card issuance authority or elevated privileges.

• No Malware, No Alerts: Unlike many cybercriminal groups that deploy malware or ransomware payloads, Jingle Thief relies on the abuse of legitimate identity and cloud infrastructure. This minimizes detection by antivirus and endpoint detection systems that are typically tuned to flag binaries and not credential misuse or suspicious account behavior. By exploiting the trust built into cloud services and workflows, the attackers bypass security tools that aren’t equipped to monitor user identity anomalies at this scope.

Go Deeper -> “Jingle Thief” Hackers Exploit Cloud Infrastructure to Steal Millions in Gift Cards – The Hacker News