Cybersecurity researchers have recently detailed the activities of a cybercriminal operation dubbed Jingle Thief, a group focused on gift card fraud within the cloud environments of organizations, particularly those in the retail and consumer services industries. The attackers initiate their breaches by using phishing and smishing to steal legitimate credentials, allowing them to compromise the target organizations that issue gift cards. Their primary objective once inside is to gain the necessary access to issue unauthorized gift cards and then quickly leverage these assets for profit, most often by reselling them on gray markets. Gift cards are an attractive target because they offer an easy path to monetary gain, requiring minimal personal information for redemption and proving difficult for defenders to trace. The group’s name itself, Jingle Thief, alludes to their pattern of increasing their fraud activity around festive seasons and holiday periods.
The threat cluster, which is tracked by the name CL-CRI-1032, has been tentatively linked to criminal groups known as Atlas Lion and Storm-0539. Microsoft also tracks this group, describing it as a financially motivated crew that appears to originate from Morocco and has been active since at least late 2021. What makes Jingle Thief particularly dangerous is its ability to maintain a persistent presence within compromised organizations, sometimes for over a year. During this extended period, they conduct extensive reconnaissance to map the cloud environment, move laterally, and take steps to actively evade detection. Researchers noted a coordinated wave of attacks in April and May 2025 where the group used phishing to obtain the credentials needed to breach victims’ cloud infrastructure. In one instance, attackers reportedly maintained access for roughly ten months, compromising 60 user accounts within a single organization to exploit cloud-based infrastructure for large-scale fraud.
The attacks are typically highly targeted and tailored to each victim. Before sending persuasive phishing login pages via email or SMS to trick users into entering their Microsoft 365 credentials, the threat actors perform detailed reconnaissance. As soon as the credentials are harvested, the attackers move swiftly, carrying out a second round of reconnaissance focused on the victim’s SharePoint and OneDrive to find information on business operations, financial processes, and IT workflows. This search includes looking for gift card issuance procedures, VPN guides, spreadsheets used to track gift cards, and other key information related to virtual machines. The attackers attempt to access gift-card issuance applications to issue high-value cards while minimizing logs and forensic trails to complicate investigations.
In a later phase, Jingle Thief is known to leverage the compromised account to send internal phishing emails to broaden their access within the organization. These messages are often designed to mimic IT service notifications or ticketing updates, using specific information gleaned from internal documentation to appear legitimate. To hide their actions, the group commonly creates inbox rules to automatically forward emails from hacked accounts to their own controlled addresses and then immediately delete the sent messages. They have also been observed taking more aggressive steps to maintain access after a password reset, such as registering rogue authenticator apps to bypass multi-factor authentication (MFA) protections or enrolling their devices in Entra ID.
The group’s methodology is notable for its exclusive focus on cloud services rather than endpoint compromise and its reliance on identity misuse over deploying custom malware, which significantly minimizes the chances of being detected. According to Unit 42, gift card fraud requires stealth, speed, and scalability, all of which are amplified when the attackers gain access to cloud environments where issuance workflows reside. To successfully exploit these systems, the threat actors need access to internal documentation, which they secure by stealing credentials and maintaining a quiet, persistent presence within the Microsoft 365 environments of their targeted organizations.
Reference:
