Jingle Thief: Inside a Cloud-Based Gift Card Fraud Campaign
Category:Threat Alerts / Threat Intelligence
Palo Alto Networks Unit 42 exposed the Jingle Thief campaign, a Moroccan financially motivated operation targeting retailers’ gift card systems. Attackers exploited Microsoft 365 services and identity misuse to issue unauthorized gift cards, maintaining persistence for nearly a year within compromised environments. The campaign overlaps with the Atlas Lion activity cluster, emphasizing identity-based fraud and cloud exploitation.
CORTEX Protocol Intelligence Assessment
Business Impact: Retailers face direct financial theft and identity compromise from long-term cloud intrusions. Technical Context: Jingle Thief operations highlight identity as the new perimeter, abusing Entra ID and OneDrive for persistence.
Strategic Intelligence Guidance
- Audit Microsoft 365 device enrollments for rogue authenticator apps.
- Enhance UEBA and ITDR monitoring for identity anomalies.
- Restrict internal gift card system access to dedicated networks.
- Rotate credentials following unusual mailbox rule creations.
Vendors
Threats
Targets
Impact
Financial:$Millions
Intelligence Source: Jingle Thief: Inside a Cloud-Based Gift Card Fraud Campaign | Oct 23, 2025