Cybersecurity Alert: 'Jingle Thief' hackers targeting retailers with high-level gift card fraud

Security researchers from Palo Alto Networks' Unit 42 have issued an urgent warning about a highly sophisticated threat actor group, dubbed "Jingle Thief," specializing in large-scale gift card fraud. The moniker reflects the group’s tendency to escalate operations during festive and holiday shopping seasons.

The "Jingle Thief" campaign is notable because it largely avoids traditional malware and instead focuses on exploiting organizational weaknesses in identity and access management within cloud platforms, such as Microsoft 365, to issue unauthorized, high-value gift cards.

• Cloud-native theft: The Jingle Thief modus operandi

  The criminal enterprise, which Unit 42 links with moderate confidence to Morocco-based financial threat groups like Atlas Lion and Storm-0539, follows a multi-step, stealthy process:

• Initial access via phishing: The attack begins with highly tailored phishing or "smishing" (SMS phishing) messages sent to employees. These messages lure victims to counterfeit Microsoft 365 login portals that mimic legitimate sign-in pages. The miscreants usually reference IT service notifications or ticketing updates to induce a sense of urgency and steal credentials.

• Internal reconnaissance: Once inside the company's cloud environment, the attackers conduct reconnaissance across services like SharePoint, OneDrive, and Exchange. Their goal is to locate internal documentation related to gift card issuance workflows, financial procedures, and IT configuration guides.

• Persistence and stealth: To ensure long-term, undetected access, Jingle Thief utilizes these stealth tactics:

• MFA bypass: They register rogue authenticator apps to circumvent Multi-Factor Authentication (MFA).

• Email manipulation: They create malicious inbox rules to automatically forward emails related to gift card approvals to external addresses, while immediately moving sent phishing emails and user replies to the Deleted Items folder.

• Device enrollment: They enroll attacker-controlled devices in Entra ID (formerly Azure AD) to maintain access even if a victim's password is reset.

• Monetization: The final stage involves accessing the company’s gift card issuance applications to generate a large volume of unauthorized, high-value gift cards. These cards are then quickly monetized on gray markets or used as an untraceable instrument for money laundering.

Why this threat matters

The Jingle Thief campaign represents an evolving cyber threat landscape where identity misuse and the abuse of trusted cloud features are replacing malware as the primary attack vector. Because the hackers are using legitimate cloud services, their actions often fly under the radar of traditional security systems focused on detecting malicious files.

Retail and consumer services organizations are urged to strengthen their cloud security posture, focusing heavily on:

• Advanced identity monitoring to detect anomalous logins and registration of rogue MFA devices.

• Enhanced awareness training to help employees spot convincing internal phishing attempts.

• Auditing for malicious mailbox forwarding rules.