CyberWire Daily - Inside Jingle Thief Cloud Fraud Unwrapped [Threat Vector]
Episode Date: November 21, 2025In this special episode of Threat Vector, host David Moulton, Senior Director of Thought Leadership for Unit 42, sits down with Stav Setty, Principal Researcher at Palo Alto Networks, to unpack Jingle... Thief a cloud-only, identity-driven campaign that turned Microsoft 365 into a gift card printing press. Stav explains how the Morocco based group known as Atlas Lion lived off the land inside M365 for months at a time, using tailored phishing and smishing pages, URL tricks, and internal phishing to compromise one user and quietly pivot to dozens more. Together, David and Stav walk through how the attackers abused legitimate identity features like device registration, MFA resets, inbox forwarding rules, and ServiceNow style access requests to blend into normal business workflows and monetize “digital cash” in the form of gift cards. They dig into why MFA alone is not safety, why identity is now the real perimeter, and how behavioral analytics, UEBA, and ITDR can piece together small signals into a clear story of compromise. You’ll come away with practical steps to harden identity posture, spot early warning signs in cloud environments, and protect high value systems where trust can be turned directly into profit. To go deeper on this campaign and the Atlas Lion threat actor, read the Unit 42 article Jingle Thief Inside a Cloud-Based Gift Card Fraud Campaign at https://unit42.paloaltonetworks.com/cloud-based-gift-card-fraud-campaign/ Join the conversation on our social media channels: Website: https://www.paloaltonetworks.com/ Threat Research: https://unit42.paloaltonetworks.com/ Facebook: https://www.facebook.com/LifeatPaloAltoNetworks/ LinkedIn: https://www.linkedin.com/company/unit42/ YouTube: @paloaltonetworks Twitter: https://twitter.com/PaloAltoNtwks About Threat Vector Threat Vector by Palo Alto Networks is your premier podcast for security thought leadership. Join us as we explore pressing cybersecurity threats, robust protection strategies, and the latest industry trends. The podcast features in-depth discussions with industry leaders, Palo Alto Networks experts, and customers, providing crucial insights for security decision-makers. Whether you're looking to stay ahead of the curve with innovative solutions or understand the evolving cybersecurity landscape, Threat Vector equips you with the knowledge needed to safeguard your organization. Palo Alto Networks Palo Alto Networks enables your team to prevent successful cyberattacks with an automated approach that delivers consistent security across the cloud, network, and mobile. http://paloaltonetworks.com. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
Welcome to Thrutector, the Palo Alto Networks podcast where we discuss pressing cybersecurity threats and resilience and uncover insights into the latest industry trends.
I'm your host, David Moulton, Senior Director of Thought Leadership for Unif 42.
Identity compromise means that the attackers are tariff.
targeting you. They're not targeting a machine or a service. They're targeting you. They're looking
to compromise accounts. And in this case of Atlas Lion, every new identity that they compromise,
they turn that into money. Identity attacks are not a future problem. They're a today
problem. They're happening now. And we saw in Jinglefeefeet that one compromised account quickly
turned into dozens of compromised accounts in a matter of months if you're not monitoring
behavior. So it really shows the importance of monitoring your identity behavior. And the
highlight of this attack is that it's entirely in the cloud. Attackers don't need exploits.
They don't email where they just need to compromise identities.
Today, I'm speaking with Stav SETI, principal researcher at Palo Alto Networks.
Stav and the Unif42 research team recently uncovered a financially motivated operation,
they're calling Jingle Thief, a cloud-based campaign that exploited Microsoft 360 environments
to commit large-scale gift card fraud targeting global retailers and consumer.
or service enterprises. Today we're going to talk about how attackers leverage identity misuse,
what this means for defenders in cloud-first world, and why campaigns like Jingle Thief are reshaping
how we think about trust and persistence in cybersecurity.
Stav, welcome to the Threat Factor. I'm really excited to have you here this morning.
Thanks, David. I'm really happy to be here.
So before we get into this Jingle Thief campaign and,
by the way, love the name. I think that it's super memorable. Can you talk to me about your work
as a principal researcher here and how you and your team approach uncovering threat actor behavior?
Yeah, of course. So I'm part of the Cortex research team on the UEBA and ITDR team. And what we do
is we focus on identity threats. So that means we look into how users are compromised and we try and find a way
to detect that behavior.
What got you interested in that particular focus area in security?
I think it feels a little bit more real to me because I'm a user and I can get attacked at any point.
So I kind of feel that those kind of attacks are interesting more so than attacking a machine
because I feel that I can relate to them a little bit more.
And I also think that identity attacks are just the next big thing.
think all the attacks nowadays are heading towards identity land. And it's really interesting to me
to research all these cases. And I'm lucky to be part of that. So today we're going to talk about
this jingle thief campaign, which is really centered around identity-based cloud compromise and
gift card fraud. And I wanted to start with the basics. You know, for the listeners,
what exactly is the jingle thief campaign? You know, some folks maybe haven't read the research
that we've got out on the Unif 42 Threat Research Center.
What was it that first drew the Cortex Research's team to this specific activity?
The Jingle Thief campaign is a campaign that we found very fascinating.
And it came up because of our Cortex unit, DR alerts that were raised.
And what makes us so interesting is it's attackers going after gift cards.
And they were able to steal and target gift cards from some of the biggest
retail brands that you know.
So that's really fascinating.
And what makes it even more fascinating
is that this is in the cloud.
There's no malware.
There's no exploits.
They're purely living in Microsoft 365,
which is a bit unusual because
nowadays you don't see that too often
with the gift card fraud.
And yeah, so they would try and target retailers
or just anyone that can issue gift cards.
Steph, you mentioned something.
And I want to make sure that we don't go
scream and buy.
You said the four letters, ITDR.
And for those who are not part of our parlance, our jargon every day, what is ITDR real quick?
Okay, so ITDR stands for identity threat detection and response.
And it's all about detecting identity attacks, such as the jingle thief attack.
And we'll talk more about that.
Yeah, super important here.
And it was the technical capability of the cortex platform that you're referring to.
I just wanted to make sure that, you know, if you're not in the business all the time of our shortcuts, that you knew what that was.
All right. Let's get back to Jingle Thief real quick. Who's behind this campaign? Talk to me about the threat actor.
Yeah. So we're pretty sure that this group is what people know as Atlas Line. This line is a Moroccan-based group. They've been active since 2021. And while we don't have 100% attribution, I say for the purpose,
purposes of this chat, let's call them Atlas Line. What do you think? Yeah, that works for me.
And you said Moroccan Bay is financially motivated. That's probably part of the crime side of
cyber attacks, not necessarily something's tied to a state actor. What distinguishes the campaign from
maybe some of the other financially motivated operations that we've been looking at recently?
I think there's a few things. I think the first.
thing is the patients and the discipline. They stay months within an organization. In one case we saw,
we saw them active in an organization for over 10 months, which is really crazy. That kind of
patients made us go, hey, this is really something different here. I think another aspect is
the living off the land in Microsoft 365. It's all cloud. That's a little bit unusual as well.
And lastly, it's the gift card aspect, the gift card theft.
A lot of times financially motivated actors will go for ransomware.
And this was all about gift cards.
Okay.
And so they are looking at these gifts cards as a way of getting their money.
Talk to me about how you go from stealing gift cards,
because that seems like a limited way of financing your operation to, you know,
Are they selling them?
Are they demanding that the retailer buy them back?
Like, what's the path to monetization?
Yeah, so I think that's kind of like the golden question here is,
why would you target gift cards in the first place?
And that's exactly what my team asked when we first saw this.
We just didn't really get it at first.
And I actually think it's at the end of the day,
it's a perfect solution for them.
So what they're going to do is they're going to issue gift cards
and they're going to sell them later in underground markets.
Why do they target gift cards?
Because when you think about it, gift cards are just digital cash with no traceability.
They're easy to resell and there's no noise and they're impossible to trace.
So if I redeem them, you have no PII associated to them.
So that's what makes them so perfect.
Okay.
So if I play this back, you go in, you're in an environment, you're not necessarily noisy.
you're persistent maybe you've got some technical chops and then instead of locking things up demanding
some sort of ransom dealing with a crypto you basically issue yourself up a payday you know
I'm going to go ahead and type in a half a million dollars or a hundred thousand dollars here or there
and then later on when the when the heats off so to speak you can then start to sell those out
and you're basically cashing out this digital cash that no one can really trace to an actual payment
you're no longer holding the stolen goods, you're financed.
So it is kind of a low stakes operation and I don't want to say it's the perfect crime,
but it feels like it's starting to make more and more sense why Atlas Lion and maybe
others are looking at gift cards as this weak spot inside of some enterprises where they can go
have a payday.
It's like they're an easy way to print cash.
All they need is an identity and they can just print their own money.
So let's talk about how some of these attacks got in.
What was the initial access, you know, was it fishing, was it smithing?
Did they go out and buy identities?
Walk me through that process a little bit.
So initial access here, exactly what you said, it was SMS fishing, smithing, and fishing.
And we actually found on my team, we investigated it and found the PHP email
sender that the attacker used. And in those logs we saw the emails and the SMS messages that went
out from Moroccan IP addresses, which was really cool to see that. And you know that smithing and
fishing are pretty common, right? So what kind of makes this kind of unique? There's a few things
here that made the initial access really interesting. I think the first one is how highly tailored
the
pages, the fishing pages
were. They used actual branding
fonts layouts from each
target, so they really did their homework
here. And these
fake Microsoft 365 pages
look identical to the
company's pages, which is crazy.
I don't think there's any way for the employees to tell a
difference. So
not only did they do their homework, but
they also did something
called the URL at sign trick.
Have you heard of that before?
No, talk me through that.
So the URL at sign trick is really interesting.
You can have a URL like company login at sign random domain.com.
And if I'm a user at a company, I'll see the company login on the left side of the ad sign.
Like let's say it's Palo Alto networks.
I'll see that and I'll be like, hey, that's pretty legitimate.
But the browser will actually go to what's on the right side.
So company login at sign randomdomain.com.
That random domain.com is actually what my browser is going to navigate to, which means that the user will be fooled.
And the browser will actually go to the malicious domain that the attacker controls.
So I think that's a super interesting technique that they used.
And it's not that common also.
When you're talking about identity theft and identity attacks,
in some way they're also attacking the identity of the organization, the fonts, the domains,
the way that things look, such that they can steal a legitimate identity from that company or
from that employee. That feels like it's a next level of fishing attack beyond almost a fishing
attack. It's something different. Or am I just kind of behind on where normal fishing,
quote-unquote normal fishing is that?
I think normal fishing can definitely be less tailored.
So I think that's what makes this so dangerous is how tailored it is to the organization.
I think that's, yeah, that's kind of the most interesting aspect here.
They've really tried to make you believe that they're the actual organization
because they really did their homework here.
And there were actually a few other things that made them really successful.
It's all the reconnaissance that they did.
It's the at-sign notation, and it's also, they would also use compromised WordPress domains to look legit.
So they would put their phishing pages there, and that made the security tools ignore it, and the users would fall for it.
So the fishing here was actually pretty smart, and they would also go through multiple rounds of fishing, and they would refine it over and over again until they got it right, and all they needed was one credential.
just needed one compromised user. And once they had one compromised user, it's game over.
Talk to me about the maybe seasonal or behavioral patterns that made Atlas Lions social engineering
tactics really effective. Yeah. So what was really interesting here is that they would target
their attacks. And that's kind of why we call them jingle thief during the holiday season. Right.
So during the holiday rush, you have limited employees, you have a lot of noise and distraction,
and that's kind of what helped them be so successful here.
Something else that's really interesting is that during the holiday periods of a lot of temporary
employees, and these temporary employees are new, right?
So they don't have a behavioral baseline, which makes them a lot harder to detect.
and so no behavioral baseline, but they have a lot of high permissions.
So they're able to issue gift cards.
That makes some of the perfect targets.
So what you're saying is like I get hired in to go work at a large retailer.
One of my jobs is to work in this issuing, this area that's basically printing digital money.
People are paying for gift cards.
They want to go exchange those during the holidays.
and systems are going, well, we don't really have much of what normal looks like for David,
the new employee.
And if I get popped, if I get compromised, then the system's like, oh, well, he's just issuing
these massive gift cards.
That seems pretty normal.
He's been doing that for a while.
And even then the best security systems don't have the critical data of a normal baseline
to be able to go, hey, we should flag this.
This is wildly inappropriate that, you know,
Moulton's out there putting out $60,000 gift cards left and right.
Exactly.
Is that right?
Like, oh, man, like, you know, I don't often say this, but, like, this is a really clever
attack.
Like, this is a way to really, you know, come in and use all the advantage that they have
and then targeting it during the holiday season when things are really busy just makes
it fly right under the radar.
Yeah.
You mentioned earlier in our conversation that you did Zerner,
You and the team had observed Atlas Lion sitting in an environment for quite a while.
I think you said 10 months in one case.
What is it about this group that lets them sit in an environment for so long and go undetected?
Yeah.
So I think that's actually the most fascinating part of this whole campaign, right?
That Alice Lyon is an organization for over 10 months.
It's actually crazy.
And the way that they do it is they abuse.
Microsoft 365 identity features.
For example, let's say I am an attacker from Atlas Line and I have credentials.
Okay.
So after I get the credentials and the initial access, the first thing I'm going to do is enroll my device.
And if I enroll my device, I'll be able to bypass MFA from here on out.
And it's really smart because the victim can reset their password, but the attacker still has a trusted device.
So that's kind of their first step is how can I get my device there?
So yeah, device registration is number one.
The next thing that they'll do is they will add exchange inbox forwarding rules.
Have you heard of those before?
I want to say I ran across that in our research, but I didn't fully understand it.
So hopefully the audience will humor me here.
can you walk me through what that is because it seems like it's both pretty common but also
kind of a clever attack yeah exactly so exchange forwarding rules will allow you to forward
emails from one mailbox to an external address so what the attacker would do here is they would
add they would basically set up a forwarding rule to forward all emails to their own personal
attacker control address, and that allows them to have ongoing visibility of the mailbox.
So that's a really great technique that they will use. And it's pretty common. I think that
organizations should really monitor all inbox rule creations because it's a pretty smart
tactic, a very common tactic.
So I think there's this misconception that I'm being disabused of when I talk to, you know,
folks like yourself, I talked to Margaret Kelly about cloud attacks not too long ago.
And there's this idea that cloud environments are really secure.
You know, and as you're talking about it, it's like, okay, these attackers get inside of Microsoft 365.
They're attacking.
They're living off the land.
Why is it that the legitimate cloud services seem so appealing to attackers today?
Yeah, that's a great question.
And I think that attackers really love the cloud because all their valuable data lives there.
Like, if you think of your own cloud, you have SharePoint documents, you have all your emails, all your data is there, right?
So it makes it the perfect target.
And specifically Atlas Lion, they would use Microsoft 365 as their reconnaissance playing round.
They would turn SharePoint into their own personal scavenger hunt.
So they would look for a lot of internal documents on gift card workflows or VPN documentation.
MFA guides, you name it, basically everything they needed to operate like an insider.
And so they have a full map now of business processes and they're able to really blend in now.
And it's not just SharePoint.
They'll also get, we saw such a high amount of emails accessed by Atlas Line in a really short amount of time.
So now that they have all this business information, they're eventually able to issue gift cards
looking legitimate. They learned all about the gift card workflows, what portals there are,
and they can really operate like a legitimate user.
So basically, once they get in, because all the information is there, it acts as an instruction
manual, one-stop shop of how to rip off the company, because legitimate users actually need
all that information to operate. They want to look legitimate. And that further makes it
difficult for you to detect them, I imagine.
Did they go a step further and give themselves higher access than that original user initially had?
Yeah, they definitely did.
And they would do something really clever.
And it would really also blend in kind of like the SharePoint documents.
What they would do is they would, hey, so now I have all your emails.
I can see how you tend to normally ask for permissions.
For example, ServiceNow, I saw that you created a few ticket requests over the past week.
Let me do the exact same.
So, Alisline would do the exact same and escalate their permissions via ServiceNow ticket request.
And for IT, that looks completely legitimate, completely normal because this user has done that in the past.
So, yeah, that's a really smart way I'm doing it.
And it's not hacking.
it's kind of like abusing the business process.
Yeah, it's not quite hacking.
It's not quite social engineering.
It's somewhere in a gray space between those two things.
But it certainly shows that they have a level of discipline to stay undetected.
What were some of the other things that they did to evade detection and hide their activity once they were inside?
Right.
Right. So the first thing is because they're entirely in the cloud, there's already no malware, which means that all of your ADR solutions are completely blind to this, right? So that's number one. The second thing that they would do is they would, a big element here was internal fishing. We didn't mention it yet. But what they would do is they would send out internal phishing emails for lateral movement. And then they would delete those.
emails. And the internal fishing was really successful because there's a lot of implicit trust.
If your coworker emails you, that's instinct credibility and nobody really suspects anything.
So they went from one account to dozens of accounts by that from that. It's like a game of
cyber tag going from one victim to the next launch point. And so to hide their traces of that,
they would just clean up the mailboxes. So they would send out a fishing email.
and move that email from sent items to deleted items.
And let's say there was like an alert of phishing.
They would also delete that from the inbox completely.
So they would really try and hide their traces and they did a really great job at it.
How did the behavior analytics?
You mentioned the UBA earlier and ITDR tools help play a role in this because it seems like
they're going to a lot of trouble specifically to target folks that don't have a
baseline to delete things to act within normal service now ticket requests right like there's a lot
about this that just appears to be normal day-to-day activity within an organization and yet there had to
be some indicator that had to be a little bit of noise here and there that you could string together and
I'm I'm really curious what tripped them up that allowed you to get on their scent trail exactly so
it is very legitimate looking activity right so if I create an inbox rule I
I create inbox rules all the time.
That's pretty legitimate.
But what the whole idea of behavioral analytics is to build a profile for the user.
So let's say I have a profile for the user of the locations that they log in from.
And I have a user that constantly logs in from the United States.
All of a sudden they're logging in from Morocco.
Based on that baseline, I can flag this activity.
And that's kind of what behavioral analytics does.
And maybe that alone, the unusual location login,
It's not strong enough on its own.
We'll take lots of different small signals like that and put them together.
So I can have a first login from Morocco for that user, a first inbox rule creation, a new MFA enrollment, a new device registration.
I take all those things together and they create a clear compromise story.
And that's what UEBA and ITDR really shine in.
That's pretty cool.
It's basically finding enough bits.
and pieces of evidence that when put together, that jigsaw of data becomes a really clear,
this is a problem specifically.
And I imagine, like, once you started seeing that, you were able to then say, like, how do we find
other things that give us that confidence?
Like earlier said, you know, attribution is hard, but you're pretty confident.
And then to start to see where that happens elsewhere, I know the attackers exploited
legitimate identity mechanisms like device reg and password self-service, what are some of the
lessons that security teams need to take away from this attack and this misuse of trust?
That's a great question. I think the first thing is a lot of times security teams will say,
hey, MFA, that equals safety. And I think it's really important to recognize that MFA is not safety.
it's not safe and they should really monitor every new password reset, every new device
enrollment, all that needs to be monitored and it's not enough just to be like, hey, that user
logged in with MFA, it's safe.
So Stab, Jingle Thief is a really powerful example of identity-based compromise.
What does that concept mean in practical terms, though?
Yeah. So identity-based compromise means that the attacker will target you. They're not going to target a machine or a service. They're going to target you. And once they have your credentials, like we saw earlier when we talked about their internal fishing, they have all your permissions now and your trust. So they can email your coworker.
and your coworkers will immediately trust it, right?
So it's not really a system takeover, it's a process takeover.
In Jingle Thief, we saw that legitimate workflows were used in abnormal ways to turn identity directly to profit.
And this is like the Jingle Thief case, I think, is a really good example of why identity is a new perimeter.
From a defensive perspective, what practical steps can enterprises take today to reduce their exposure to these identity-based attacks like Jingle Thief?
So I think there's a few things you can do.
I think number one, I would say, is what we talked about before, about ITDR and UDBA.
Behavioral analytics is so important because this is entirely in the cloud, end point detection is not going to help you at all.
you need to track who's logging in, where they're logging in from, how their behavior changes
over time. I think that's number one most important. I think also in the case of Jankleteaf,
Osterm really matters as well. I would make sure to look at what permissions users have.
Like, can everybody issue gift cards and limit that? And lastly, I think that,
Again, compromise happens really fast, so you need to make sure to act fast because you can go from one compromised user to 100 compromised users in a matter of a very short time.
So really, it's thinking about this idea of don't over-rely on an MFA, and then as you're looking at your controls, especially since you're attacking a user, you know, one compromise can very much.
snowball to keep it into that holiday theme into hundreds of users very, very quickly.
This is a tricky one to defend against for sure, but I keep coming back to this idea that
you were able to find enough evidence through behavioral analytics, through ITDR, and paint that
picture such that you don't have any idea how you're leaking so much money on the gift card
side of things.
You've mentioned a couple times that Jingle Thief has been traced back to this Moroccan
infrastructure, you know, through IPs, through ASN patterns.
How valuable is that kind of intelligence in ongoing threat tracking?
So I think that it's super valuable because it allows you to have a fingerprint to connect
the dots across multiple incidents.
So I'm consistently seeing Moroccan.
ASS and throughout multiple organizations, I can look for those ASNs and be able to connect
the dots the same campaign.
That's like the main value.
And I think that what was super interesting in this case is that you saw Alisline connecting
consistently from Moroccan ASN.
It's like kind of funny because they didn't even try and hide their location.
I mean, there were a few U.S. proxy cases, but very few of them.
And it shows confidence because they kind of know that geolocation alerts are so often ignored.
And I found that really interesting.
So, Stav, looking ahead, do you expect that financially motivated campaigns like this will evolve in new ways or maybe even have copycats that try to use these same attack techniques?
Yeah, definitely.
I think so. I think that
they're going to keep adapting
and we expect that any
platform where trust
can be turned to profit
to be used. So for example, today
it might be Microsoft 365
but in the future it'll expand to more
cloud platforms and today
they're targeting gift cards
but in the future it can be
loyalty programs. It can be
really any system
that has digital currency
anywhere that identity can turn into money.
Steph, one last question here.
Are there any early warning signs
that defenders should watch for
as attackers continue to weaponize cloud trust?
Yeah, I think definitely there are a lot of warning signs
in the identity behavior.
You have to look at device enrollment,
MFA factor additions, inbox rules,
All of that, I strongly suggest monitoring all of those.
Yeah, I think that's the best thing to prioritize
as identity layer.
Steph, thanks for this awesome conversation today.
I learned so much.
And thanks for the patience from the audience
as you had to unpack a few things for me,
though, a little bit more technical.
I really appreciate you coming in
and sharing your insights on the Jingle Thief campaign
and specifically how identity-based cloud
fraud is reshaping, at least my perspective of cybersecurity strategy.
This one seems like it's kind of a weak spot that we need to really focus on or suffer the
consequences.
Thank you so much, David.
It was great being here.
And we'll go ahead and make sure that there's a link to the Jingle Thief campaign and the Threat Research Center in our show notes.
That's it for today.
If you've liked what you heard, please subscribe wherever you listen.
And leave us a review on Apple Podcast or Spotify.
Those reviews and your feedback really do help me understand what you want to hear about.
If you want to contact me directly about the show, email me at Threat Factor at Palo Alto Networks.com.
I want to thank our executive producer, Mike Heller, our content and production teams,
which include Kenny Miller,
Jogadakur, and Virginia Tran.
Original music and mix by Elliot Peltzman.
We'll be back next week.
Until then, stay secure, stay vigilant.
Goodbye for now.
Thank you.