Full Report
Cybersecurity researchers have shed light on a cybercriminal group called Jingle Thief that has been observed targeting cloud environments associated with organizations in the retail and consumer services sectors for gift card fraud. "Jingle Thief attackers use phishing and smishing to steal credentials, to compromise organizations that issue gift cards," Palo Alto Networks Unit 42 researchers
Analysis Summary
# Threat Actor: Jingle Thief
## Attribution & Identity
* **Primary Name:** Jingle Thief
* **Internal Tracking:** CL‑CRI‑1032 (CL = cluster, CRI = criminal motivation)
* **Associated Groups (Moderate Confidence):** Atlas Lion and Storm-0539
* **Origin (Attributed):** Morocco
* **Motivation:** Financially motivated criminal group focused on gift card fraud.
* **Activity Span:** Active since at least late 2021.
## Activity Summary
Jingle Thief targets cloud environments utilized by organizations in the retail and consumer services sectors that issue gift cards. Their goal is to illicitly issue gift cards which are then likely resold on gray markets for monetary gain. They are noted for maintaining footholds within compromised organizations for extended periods (sometimes over a year). A wave of coordinated attacks targeting global enterprises was observed in April and May 2025, utilizing credentials stolen via phishing to breach cloud infrastructure. In one documented campaign, attackers maintained access for approximately 10 months and compromised 60 user accounts in a single victim organization. The group's name is derived from their pattern of conducting fraud around festive and holiday seasons.
## Tactics, Techniques & Procedures
- **Initial Access:** Phishing and smishing (SMS phishing) tailored to the victim to steal Microsoft 365 credentials.
- **Persistence/Lateral Movement:** Maintaining footholds for extended periods, conducting extensive reconnaissance across the cloud environment, and moving laterally.
- **Objective Execution:** Gaining access necessary to issue unauthorized, high-value gift cards by targeting gift-card issuance applications.
- **Defense Evasion:** Actions are designed to leave minimal logs and forensic trails.
- **Internal Phishing:** Leveraging compromised accounts to send phishing emails internally, mimicking IT service notifications or ticketing updates using gleaned internal documentation.
- **Data Exfiltration/Control:** Creating inbox rules to automatically forward emails from compromised accounts to attacker-controlled addresses, followed by deleting sent evidence.
- **Reconnaissance:** Post-compromise surveying of SharePoint and OneDrive for details on business operations, financial processes, IT workflows, gift card issuance workflows, VPN configurations, and Citrix environments.
- **Cloud Exploitation:** Exploiting cloud-based infrastructure to impersonate legitimate users.
## Targeting
* **Sectors:** Retail, Consumer Services.
* **Geography:** Global enterprises (specific countries not listed, but attacks are widespread).
* **Victims:** Organizations that issue gift cards (specific company names not detailed in this summary).
## Tools & Infrastructure
* **Malware Families Used:** Not explicitly named, but custom techniques regarding cloud access and phishing are central.
* **Infrastructure (C2, domains, IPs):** Not explicitly detailed or defanged in the provided text snippet, beyond the reliance on harvested Microsoft 365 credentials and potentially custom phishing landing pages.
## Implications
Jingle Thief poses a significant threat due to its long dwell times (over a year), allowing for deep mapping of internal cloud environments and sophisticated evasion of forensic investigation. Their focus on high-value, easily liquidated assets (gift cards) provides a low-trace, high-yield criminal profit motive. The actor’s proficiency in credential harvesting via highly tailored social engineering (smishing/phishing) makes them effective at bypassing perimeter defenses to gain initial footing within cloud infrastructure.
## Mitigations
- Implement robust multi-factor authentication (MFA) on Microsoft 365 and associated cloud services.
- Enhance monitoring of cloud access and user behavior, specifically looking for unusual lateral movement and access to sensitive configurations (SharePoint/OneDrive searches related to financial/VPN/Citrix documentation).
- Review and restrict mailbox forwarding rules configured by standard users.
- Increase vigilance against sophisticated phishing and smishing attempts, educating staff on reporting suspicious credential requests, especially those mimicking IT support.
- Audit configurations of gift-card issuance applications and administrative controls within the cloud environment.