Jingle Thief Cybercrime Gang Steals Hundreds of Thousands in Gift Card Fraud via Microsoft 365 Identity Abuse
Ddos 
Palo Alto Networks’ Unit 42 has published an in-depth analysis of a financially motivated cyber campaign dubbed “Jingle Thief,” operated by a Morocco-based group tracked as CL-CRI-1032. The operation, which has targeted retail and consumer services enterprises worldwide since 2021, uses phishing, smishing, and identity abuse within Microsoft 365 environments to issue fraudulent gift cards worth hundreds of thousands of dollars.
According to Unit 42, the threat cluster overlaps with activity from Atlas Lion and STORM-0539, both previously linked to Morocco-based financial fraud groups.
Unlike traditional ransomware or malware-based campaigns, Jingle Thief actors operate almost entirely within cloud ecosystems, exploiting Microsoft 365 applications such as SharePoint, OneDrive, Exchange, and Entra ID to infiltrate and persist inside enterprise networks.
“In one campaign, threat actors maintained access for approximately 10 months and compromised over 60 user accounts within a single global enterprise,” the researchers revealed.
The attackers’ patience and operational discipline make them particularly dangerous. Once inside, they study internal workflows, map financial systems, and identify opportunities to issue unauthorized gift cards. Their endgame is not data theft or extortion — it’s monetization through the mass issuance of digital currency equivalents.
The report highlights how gift cards have become the cybercriminal’s cash of choice — a low-risk, high-velocity method of converting stolen access into untraceable profit.
“Gift cards are highly attractive to financially motivated actors due to their ease of redemption and rapid monetization,” Unit 42 wrote, adding that they are “useful for low-risk money laundering, especially across jurisdictions.”
The attackers reportedly resold stolen cards on gray-market forums, leveraging their anonymity to launder proceeds. Some stolen cards were even used as collateral in digital loan schemes, showcasing a sophisticated criminal ecosystem behind what appears to be seasonal fraud.
The Jingle Thief campaign starts with phishing or SMS-based smishing lures that impersonate well-known organizations, including NGOs, to steal Microsoft 365 credentials.
Many phishing messages are sent through self-hosted PHP mailers running on compromised WordPress servers, with URLs crafted to look legitimate — for example: https://organization[.]com@malicious.cl/workspace — which appears to be a corporate domain but actually redirects to the attacker’s server.
Once credentials are captured, the attackers authenticate directly into Microsoft 365, avoiding the need for malware entirely.
Unit 42 observed that phishing activity increases during holiday periods, aligning with reduced staffing and higher gift card transaction volumes, which amplifies the attackers’ chances of success.
After gaining initial access, Jingle Thief actors conducted extensive reconnaissance in SharePoint and OneDrive, searching for internal documentation related to gift card workflows, ticketing systems, and VPN access.
“Rather than escalating privileges, the threat actors build situational awareness by accessing readily available data on compromised users,” Unit 42 noted. “This discreet approach helps evade detection while laying the groundwork for future fraud.”
They also established persistence through Microsoft Entra ID, registering rogue devices and authenticator apps to maintain access even after credentials were reset — effectively bypassing MFA protections.
To hide their activity, the attackers created email forwarding rules that automatically sent financial or IT workflow communications to their own inboxes, while deleting sent and received messages to cover tracks.
Unit 42 traced the majority of Jingle Thief activity to Moroccan IP addresses and Autonomous System Numbers (ASNs) belonging to local telecommunications providers, such as MT-MPLS, ASMedi, and MAROCCONNECT.
“Unlike many actors who hide behind VPNs, these threat actors often made no attempt to obscure their origin,” the researchers observed. Across incidents, Microsoft 365 logs showed recurring device fingerprints and login behaviors associated with Moroccan infrastructure.
These findings strengthen the link to previously identified Moroccan threat groups, suggesting that Jingle Thief represents an evolution of the country’s cybercriminal underground — one that blends cloud exploitation, social engineering, and financial fraud.
Donate