'Jingle Thief' holiday fraud campaign uses phishing, identity abuse

The “Jingle Thief” group has targeted global retailers with cloud-based attacks that weaponize stolen Microsoft 365 credentials to issue fraudulent gift cards.

What happened

According to Cyber Press, a threat actor cluster tracked as CL‑CRI‑1032, also known to overlap with Atlas Lion (STORM‑0539), has carried out a sustained cybercrime operation dubbed the Jingle Thief campaign. Active since 2021, the group is believed to originate from Morocco and strategically targets its attacks around holiday periods to exploit reduced staffing and increased online activity.

The attackers target retail and consumer services enterprises by stealing credentials and leveraging cloud-native tools to commit large-scale gift card fraud.

Going deeper

Unlike malware-based intrusions, Jingle Thief uses phishing and smishing to harvest Microsoft 365 credentials. Attackers distribute lures via email and SMS using PHP mailers hosted on compromised WordPress servers, which redirect victims to spoofed login pages. Once inside, the group uses legitimate Microsoft cloud services like SharePoint, OneDrive, Exchange, and Entra ID to persist and expand their access.

In one case studied by cybersecurity researchers, attackers maintained unauthorized access for up to 10 months, compromising over 60 user accounts. They focused on finding documentation related to gift card workflows and financial approvals stored in SharePoint, then moved laterally within the organization through internal phishing messages crafted to mimic ServiceNow alerts.

To avoid detection, they abused Entra ID’s device registration features, added rogue authenticator apps, and used inbox rules to silently monitor email activity. This allowed them to bypass multi-factor authentication (MFA), even after credentials were changed.

What was said

Researchers noted that the Jingle Thief campaign represents a shift in attacker strategy, moving away from malware and toward credential-based cloud attacks. Most login activity was traced back to Moroccan IP ranges, often routed through Mysterium VPN to mask origin.

The group’s goal is to exploit internal financial systems to issue unauthorized gift cards, which are then resold or used to launder money. Their infrastructure and operational patterns remain consistent, making them recognizable in repeated incidents.

The big picture

The Jingle Thief campaign shows how cybercriminals are weaponizing legitimate cloud tools to carry out large-scale fraud without relying on malware. By using stolen Microsoft 365 credentials, the attackers operate inside trusted systems, sending internal phishing messages, adding rogue devices, and issuing unauthorized gift cards under the radar. Timing their campaigns around the holidays gives them another advantage, taking advantage of distracted employees and reduced IT oversight.

Paubox recommends Inbound Email Security to detect phishing and credential theft attempts that start these types of attacks. Its generative AI studies tone, sender behavior, and intent to identify messages that appear routine but contain subtle warning signs of social engineering. That deeper visibility helps organizations catch identity-based threats before attackers can move from inboxes into cloud environments.

FAQs

What makes gift cards a target for cybercriminals?

Gift cards are easy to issue, use, and resell, making them attractive for fraud and low-risk money laundering. They also often bypass traditional financial scrutiny.

How can attackers bypass MFA using legitimate tools?

By registering rogue devices and authenticator apps through self-service portals like Entra ID, attackers can gain persistent access that isn’t disrupted by password resets.

Why are holiday periods especially vulnerable?

Reduced IT staffing and increased transaction volume during holidays create ideal conditions for attackers to go undetected while executing high-volume fraud.

What is the role of Entra ID in these attacks?

Attackers abuse Entra ID (formerly Azure Active Directory) to enroll devices, manipulate identity settings, and establish MFA-resistant backdoors.