As the festive season approaches, a surge in cyberattacks targeting digital gift card systems has been observed. The Jingle Thief campaign, orchestrated by financially motivated threat actors based in Morocco, has emerged as a significant threat, exploiting seasonal vulnerabilities to steal and monetize gift cards on a large scale.
Modus Operandi of the Jingle Thief Campaign
The attackers employ sophisticated phishing and smishing tactics, focusing on major retailers and large enterprises that utilize cloud-based infrastructures, particularly those reliant on Microsoft 365 and similar services. Their primary objective is to compromise user credentials, gain unauthorized access, and exploit gift card systems during periods of heightened activity and reduced vigilance.
The operation initiates with meticulously crafted phishing emails and SMS messages designed to lure victims into providing their login details through deceptive portals that closely mimic legitimate Microsoft 365 interfaces. These counterfeit sites are uniquely branded to mirror the targeted organization’s style, effectively harvesting credentials while evading routine detection mechanisms.
To obscure their infrastructure, attackers often dispatch these lures using self-hosted PHP mailer scripts operating from compromised WordPress servers. Once they have infiltrated the system, they conduct extensive reconnaissance, moving laterally through SharePoint and OneDrive accounts to locate internal documentation and understand gift card issuance workflows.
The sophistication of the Jingle Thief campaign lies not only in the initial compromise but also in the attackers’ ability to remain undetected—sometimes for months—while orchestrating repeated fraud attempts across multiple gift card issuance applications.
Advanced Operational Tactics and Persistence Mechanisms
Analysts from Palo Alto Networks have tracked the Jingle Thief campaign under cluster CLCRI1032, linking it to known threat entities such as Atlas Lion and STORM-0539. Their research has uncovered advanced operational tactics focused on maintaining persistence and operational patience.
In early 2025, attacks associated with this campaign resulted in the compromise of over 60 user accounts within a single global organization. The threat actors demonstrated adaptable methods to subvert defensive controls, including mailbox manipulation and abuse of identity infrastructure.
A notable aspect of the Jingle Thief campaign is its method of establishing persistent, malware-resistant access. After stealing credentials, the attackers exploit Microsoft Entra ID’s self-service and device enrollment features to register attacker-controlled devices and rogue authenticator apps. This approach effectively subverts multi-factor authentication (MFA), allowing them continuous access—even after password resets.
The attackers have been observed silently enrolling smartphones using the native onboarding process, thereby entrenching themselves within the environment and making detection extremely challenging.
Implications and Recommendations for Cybersecurity Teams
Through these advanced techniques, Jingle Thief attackers reliably evade conventional security controls, rendering typical remediation measures ineffective until full identification and infrastructure clean-up are achieved.
Cybersecurity teams are urged to prioritize identity-based monitoring and behavioral anomaly detection, especially during festive seasons when such threats intensify. Implementing robust security measures, conducting regular audits, and educating employees about phishing tactics are crucial steps in mitigating the risks associated with such sophisticated cyberattacks.
