Inside Jingle Thief Cloud Fraud Unwrapped [Threat Vector]

Nov 21, 2025

In this engaging discussion, Stav Setty, a Principal Researcher at Palo Alto Networks, unveils the alarming tactics behind the Jingle Thief campaign, a sophisticated cloud-only fraud operation leveraging Microsoft 365 to print gift cards. Setty reveals how the Moroccan group Atlas Lion used tailored phishing methods and exploited legitimate business workflows to compromise identities. He emphasizes the importance of behavioral analytics in detecting such threats and offers actionable advice to enhance identity security in cloud environments.

Ask episode

AI Snips

Chapters

Transcript

Episode notes

ANECDOTE

Cloud-Only Gift Card Operation

Stav Setty describes Jingle Thief as a cloud-only campaign stealing gift cards via Microsoft 365.
The attackers lived entirely in the cloud with no malware or exploits involved.

INSIGHT

Gift Cards As Digital Cash

Gift cards act as untraceable digital cash that attackers can resell on underground markets.
Stav Setty explains gift cards' lack of traceability makes them ideal for monetization.

ADVICE

Harden Phishing And URL Defenses

Monitor and harden phishing vectors because attackers used highly tailored phishing and smishing pages.
Detect URL tricks like the at-sign trick and block or warn on suspicious redirect patterns.

Get the Snipd Podcast app to discover more snips from this episode

Get the app

In this special episode of Threat Vector, host David Moulton, Senior Director of Thought Leadership for Unit 42, sits down with Stav Setty, Principal Researcher at Palo Alto Networks, to unpack Jingle Thief a cloud-only, identity-driven campaign that turned Microsoft 365 into a gift card printing press. Stav explains how the Morocco based group known as Atlas Lion lived off the land inside M365 for months at a time, using tailored phishing and smishing pages, URL tricks, and internal phishing to compromise one user and quietly pivot to dozens more.

Together, David and Stav walk through how the attackers abused legitimate identity features like device registration, MFA resets, inbox forwarding rules, and ServiceNow style access requests to blend into normal business workflows and monetize “digital cash” in the form of gift cards. They dig into why MFA alone is not safety, why identity is now the real perimeter, and how behavioral analytics, UEBA, and ITDR can piece together small signals into a clear story of compromise.

You’ll come away with practical steps to harden identity posture, spot early warning signs in cloud environments, and protect high value systems where trust can be turned directly into profit. To go deeper on this campaign and the Atlas Lion threat actor, read the Unit 42 article Jingle Thief Inside a Cloud-Based Gift Card Fraud Campaign at https://unit42.paloaltonetworks.com/cloud-based-gift-card-fraud-campaign/

Join the conversation on our social media channels:

About Threat Vector

Threat Vector by Palo Alto Networks is your premier podcast for security thought leadership. Join us as we explore pressing cybersecurity threats, robust protection strategies, and the latest industry trends.

The podcast features in-depth discussions with industry leaders, Palo Alto Networks experts, and customers, providing crucial insights for security decision-makers.

Whether you're looking to stay ahead of the curve with innovative solutions or understand the evolving cybersecurity landscape, Threat Vector equips you with the knowledge needed to safeguard your organization.

Palo Alto Networks

Palo Alto Networks enables your team to prevent successful cyberattacks with an automated approach that delivers consistent security across the cloud, network, and mobile.⁠⁠⁠⁠⁠ ⁠http://paloaltonetworks.com.⁠

Learn more about your ad choices. Visit megaphone.fm/adchoices