Podcast Summary: Threat Vector
Episode: Inside Jingle Thief Cloud Fraud Unwrapped
Date: November 21, 2025
Host: David Moulton, Palo Alto Networks
Guest: Stav Seti, Principal Researcher at Palo Alto Networks
Episode Overview
This episode of Threat Vector explores the recently uncovered "Jingle Thief" campaign—a sophisticated, cloud-based identity attack that leveraged compromised Microsoft 365 accounts to steal and monetize gift cards from major retail and consumer service enterprises. Principal researcher Stav Seti walks through the details of the attack, methods used by the threat actors (believed to be the Atlas Lion group), and key lessons for defenders as identity-based attacks become central to cybercrime.
Key Discussion Points & Insights
1. What is the Jingle Thief Campaign? [04:03]
- Jingle Thief is a financially-motivated, cloud-native attack targeting global retailers via Microsoft 365 environments.
- Attackers stole and sold large volumes of digital gift cards, taking advantage of cloud-only infrastructure and identity compromise, not malware.
- Quote:
"They were able to steal and target gift cards from some of the biggest retail brands that you know. ... It's attackers going after gift cards... purely living in Microsoft 365."
— Stav Seti [04:03]
2. Threat Actor Attribution: Atlas Lion [05:36]
- Believed to be carried out by Atlas Lion, a Moroccan-based financially motivated group, active since 2021.
- Group is notable for long-term persistence: up to 10 months in a single target environment.
- Distinguishing traits: patience, cloud-only operations, focus on digital gift card theft (vs. typical ransomware).
- Quote:
"We saw them active in an organization for over 10 months, which is really crazy. That kind of patience made us go, hey, this is really something different here."
— Stav Seti [06:18]
3. Monetization: Why Gift Cards? [07:26]
- Gift cards are ideal for cybercriminals: no PII, hard to trace, easily and quietly resold on underground markets.
- Not noisy like ransomware—attackers can "print" digital money without attracting much attention.
- Quote:
"Gift cards are just digital cash with no traceability. ... They're impossible to trace. So if I redeem them, you have no PII associated to them. That's what makes them so perfect."
— Stav Seti [07:26]
4. Initial Access: Tailored Phishing, Smishing & Unique Techniques [09:17]
- Initial compromise leveraged highly tailored phishing and SMS phishing ("smishing") campaigns.
- Attackers used perfectly mimicked login pages—identical to their targets, making detection by employees nearly impossible.
- URL "@" Sign Trick:
Attackers crafted URLs likecompanylogin@randomdomain.com, so users saw a legitimate company name but were redirected to an attacker domain. - Used compromised WordPress sites to host phishing, bypassing some security tools.
- Repeated, refined phishing rounds until success.
- Quote:
"These fake Microsoft 365 pages look identical to the corporate company's pages, which is crazy. I don't think there's any way for the employees to tell a difference."
— Stav Seti [10:10]
5. Social Engineering Tactics & Timing: Holiday Season Exploits [13:27]
- Timing attacks during peak holiday periods—with many new, temporary, and distracted employees.
- New hires lack behavioral baselines, making anomalous activity harder to detect.
- Quote:
"During the holiday rush, you have limited employees, you have a lot of noise and distraction. ... These temporary employees are new. They don't have a behavioral baseline, which makes them a lot harder to detect."
— Stav Seti [13:27]
6. Persistence & Evasion in Microsoft 365 [15:47]
- Attackers abused M365 identity features post-compromise:
- Device registration (bypasses MFA by enrolling their own device)
- Inbox forwarding rules (copies all email to attacker-controlled boxes for long-term access)
- Quote:
"After I get the credentials... I'm going to enroll my device. ... the victim can reset their password, but the attacker still has a trusted device."
— Stav Seti [15:47] - Frequent use of internal phishing for lateral movement; deleted sent emails to cover tracks.
7. Living Off the Land: Cloud as Attack Surface [18:47]
- Attackers leveraged legitimate cloud features—no malware, making traditional endpoint detection blind.
- Used stolen access to SharePoint, Exchange, and business systems to map workflows and escalate privileges via legitimate processes like ServiceNow.
- Quote:
"They would look for a lot of internal documents on gift card workflows ... basically everything they needed to operate like an insider."
— Stav Seti [18:47] "It's not hacking. It's kind of like abusing the business process."
— Stav Seti [20:35]
8. Detection: Behavioral Analytics, UEBA, and ITDR [23:07]
- Traditional security controls (EDR, AV) miss cloud-only identity abuse.
- Behavioral analytics (UEBA/ITDR) is key: correlates anomalies (location, MFA, device enrollments, inbox rules) into a "story of compromise."
- Quote:
"What the whole idea of behavioral analytics is to build a profile for the user ... lots of small signals ... create a clear compromise story."
— Stav Seti [23:46]
9. Lessons for Defenders [25:32, 27:19]
- MFA is not a silver bullet—attackers can register devices post-compromise and bypass MFA protections.
- Monitor all identity changes: new device enrollments, password resets, inbox rules, MFA factor additions.
- Regularly review and limit permissions (esp. who can issue gift cards).
- Respond quickly: Identity compromise spreads fast.
- Quote:
"MFA is not safety ... They should really monitor every new password reset and every new device enrollment."
— Stav Seti [25:32] "You need to make sure to act fast because you can go from one compromised user to 100 ... in the matter of a very short time."
— Stav Seti [27:19]
10. Emerging Trend: Identity as the New Perimeter [26:14]
- The campaign demonstrates how attackers now focus on users and their identity/trust inside organizations, rather than compromising machines.
- Legitimate processes subverted for attacker profit shows why defenders must treat identity as the new security perimeter.
- Quote:
"It's not really a system takeover, it's a process takeover. ... Identity is a new perimeter."
— Stav Seti [26:14]
11. Future Trends & Recommendations [30:28, 31:13]
- Expect more campaigns leveraging these techniques—targeting loyalty, digital currency, and other trust-based assets.
- Defender Recommendations:
- Monitor at the identity layer—device enrollments, MFA changes, inbox rules.
- Don’t over-rely on MFA.
- Move quickly upon signs of compromise.
- Quote:
"Any platform where trust can be turned to profit to be used. Today might be Microsoft 365, but in the future it'll expand to more cloud platforms."
— Stav Seti [30:28]
Memorable Quotes & Moments
-
"It's like they're an easy way to print cash. All they need is an identity and they can just print their own money."
— Stav Seti [09:09] -
"This is a really clever attack ... targeting it during the holiday season when things are busy just makes it fly right under the radar."
— David Moulton [15:06] -
"Your endpoint solutions are completely blind to this. ... all of your ADR solutions are completely blind."
— Stav Seti [21:51] -
"Internal phishing ... going from one account to dozens. It's like a game of cybertag."
— Stav Seti [22:04]
Timestamps for Important Segments
- [04:03] – "What is Jingle Thief?" & Campaign outline
- [05:36] – Attribution to Atlas Lion, threat actor profile
- [07:26] – Gift card theft and monetization
- [09:17] – Initial access: Smishing, phishing, “@” URL trick
- [13:27] – Social engineering: Holiday season and new hires
- [15:47] – Persistence and evasion: M365 abuse
- [18:47] – Cloud services as attack surface
- [23:07] – Behavioral analytics, UEBA/ITDR
- [25:32] – Lessons for defenders
- [30:28] – Future threats and copycat attacks
- [31:13] – Early warning signs & monitoring priorities
Final Takeaway
Jingle Thief is a striking illustration of how cybercriminals are evolving—using patience, insider knowledge, and purely cloud-based identity tactics to steal money in subtle, high-impact ways. Defenders must evolve as well, focusing on behavioral analytics and identity-centric controls to see, stop, and respond to these next-generation threats. Identity truly is the new frontline in cybersecurity.