CyberWire Daily: Inside Jingle Thief Cloud Fraud Unwrapped [Threat Vector]
Date: November 21, 2025
Host: David Moulton (N2K Networks – Palo Alto Networks)
Guest: Stav Seti, Principal Researcher, Palo Alto Networks Unit 42
Episode Overview
This episode delves into "Jingle Thief"—a striking, cloud-based fraud campaign leveraging identity-based attacks to steal and monetize gift cards at scale. David Moulton interviews Stav Seti, who led the research that uncovered the threat, to examine Atlas Lion (a Moroccan cybercriminal group) and the innovative attack vectors they’ve employed. The conversation spotlights the evolving state of identity compromises in cloud environments and offers actionable guidance for defenders.
Key Discussion Points and Insights
1. Modern Identity Compromise in the Cloud
- Identity is the new battleground: Attackers are targeting users, not just machines or services.
- “They’re not targeting a machine or a service, they’re targeting you. They’re looking to compromise accounts, and in this case of Atlas Lion, every new identity that they compromise, they turn that into money.” (A, 00:25)
- Attackers adapt to the visibility and tools provided by modern cloud services, bypassing traditional endpoint security:
- “Attackers don’t need exploits, they don’t need malware. They just need to compromise identities.” (A, 01:32)
- Jingle Thief campaign:
- Atlas Lion’s operation used Microsoft 365 environments exclusively—no malware or traditional exploits—turning gift card issuance systems into a lucrative avenue for fraud.
2. Behind the Scenes: Threat Research and Motivation
- Team approach: Stav’s team at Palo Alto Networks’ Cortex focuses on identity-centric threats—detecting compromised user behavior rather than just malware signatures.
- Personal motivation:
- “I’m a user and I can get attacked at any point. It feels a little bit more real to me… all the attacks nowadays are heading towards identity land.” (A, 03:05)
3. The Jingle Thief Campaign Unpacked
- Discovery: Detected by alerts from their Cortex Identity Threat Detection and Response (ITDR) system.
- Unique aspects:
- Attackers targeted gift card issuance systems of major global retailers.
- Entirely cloud-based attack; no malware used.
- Atlas Lion is attributed—a Moroccan group active since 2021, showing patience and discipline (10+ months inside some environments).
Monetization Mechanics:
- Why gift cards?
- “Gift cards are just digital cash with no traceability. They’re easy to resell and there’s no noise and they’re impossible to trace.” (A, 07:45)
- Fraudsters sell gift cards on underground markets with minimal risk.
4. Initial Access and Social Engineering
- Techniques:
- Initial access through tailored phishing and smishing (SMS phishing).
- Utilized convincing fake Microsoft 365 pages tailored to each organization—with authentic branding and fonts.
- Deployed the “URL @ sign trick” to mask malicious domains.
- “If I’m a user at a company, I’ll see the company login on the left side of the @ sign... but the browser will go to the attacker’s domain.” (A, 10:46)
- Used compromised WordPress domains to host phishing pages, aiding legitimacy and evading security tools.
- Internal phishing: Once inside, sent phishing emails from compromised internal accounts for lateral movement.
- “Internal phishing was really successful because there’s a lot of implicit trust. If your coworker emails you, that’s instant credibility.” (A, 21:51)
5. Tactical Evasion and Persistence
- Abusing M365 identity features:
- Registered attacker-controlled devices post-compromise to bypass MFA.
- “The victim can reset their password, but the attacker still has a trusted device.” (A, 15:47)
- Mailbox persistence:
- Set inbox forwarding rules to exfiltrate email, remain aware of security alerts, and monitor business operations.
- Business Process Abuse:
- Studied SharePoint/Exchange data to map workflows.
- Used legitimate means (e.g., submitting ticket requests via ServiceNow) to escalate privileges in ways indistinguishable from standard user behavior.
6. Targeting Weakness: Why Holiday Season & Temporary Workers?
- Attack timing:
- Operations were concentrated during the holiday rush, with new, temporary employees lacking behavioral baselines.
- “These temporary employees are new. So they don’t have a behavioral baseline, which makes them a lot harder to detect.” (A, 13:27)
- High-privilege, low-visibility targets: Compromising new staff with gift card issuance rights, exploiting the lack of historical data to evade detection.
7. Detection and Response: The Role of Behavioral Analytics
- Behavioral Analytics & ITDR:
- Tools like UEBA (User and Entity Behavior Analytics) and ITDR crucially flag small anomalies for investigation.
- “Maybe that alone, the unusual location login is not strong enough on its own. We’ll take lots of different small signals like that and put them together.” (A, 23:46)
- Effective signals:
- First-time logins from new locations (e.g., Morocco).
- New device enrollments.
- Unusual inbox rule creations.
- MFA changes and escalations in permissions.
8. Lessons and Defensive Guidance
- MFA is not a panacea:
- “MFA is not safety, it’s not safe. You should really monitor every password reset, every new device enrollment.” (A, 25:32)
- Posture matters:
- Restrict who can issue gift cards.
- Act quickly—identity compromise can snowball rapidly.
- Monitor for:
- Device enrollments, MFA factor additions, inbox rules, permission escalations, and unusual behavioral patterns.
9. Threat Attribution and Strategic Implications
- Attribution:
- Consistent Moroccan IPs/ASNs helped link incidents to Atlas Lion.
- Attackers’ confidence (rarely using proxies) suggests they bank on ignored geolocation alerts.
- Looking ahead:
- Similar campaigns will likely expand to other platforms and digital assets (e.g., loyalty programs, other forms of digital currency).
- “Anywhere that identity can turn into money.” (A, 30:28)
Notable Quotes & Memorable Moments
- “All they need is an identity and they can just print their own money.” (A, 09:09)
- “They would turn SharePoint into their own personal scavenger hunt…” (A, 18:47)
- “It’s not hacking, it’s kind of like abusing the business process.” (A, 20:35)
- “One compromise can very much snowball… into hundreds of users very, very quickly.” (B, 28:21)
- “Identity is a new perimeter.” (A, 26:14)
Timestamps for Key Segments
| Timestamp | Topic | |------------|----------------------------------------------------------| | 00:25 | Framing the rise of identity-based attacks in the cloud | | 05:36 | Threat actor attribution ("Atlas Lion", Moroccan group) | | 07:26 | Attack monetization via gift card resale | | 09:17 | Initial access: smishing, phishing, tailored lures | | 10:46 | The "URL @ sign trick" explained | | 13:27 | Exploiting the holiday rush and temporary staff | | 15:47 | Persistence through device registration and MFA bypass | | 18:47 | Reconnaissance and business process mapping in M365 | | 20:35 | Escalation via legitimate ServiceNow tickets | | 21:51 | Internal phishing, lateral movement, mailbox cleaning | | 23:46 | How behavioral analytics detected Jingle Thief | | 25:32 | Defensive takeaways: Don’t over-rely on MFA | | 30:28 | The future of cloud fraud: new targets and copycats |
Practical Takeaways for Defenders
- Behavioral monitoring is essential; look for subtle, chained anomalies across user activity.
- Monitor identity-layer changes (device enrollments, MFA adjustments, unusual inbox rules).
- Restrict critical business function permissions (e.g., gift card issuance).
- Act rapidly—compromises escalate quickly within cloud environments.
- Don’t underestimate attacks that “live off the land” (using built-in features rather than malware).
This episode offers a detailed, real-world look at the ingenuity and persistence of financially motivated cloud attacks—and highlights the need for organizations to reconsider what it means to “trust” in a cloud-first, identity-centric world.