In this special episode of Threat Vector, host David Moulton, Senior Director of Thought Leadership for Unit 42, sits down with Stav Setty, Principal Researcher at Palo Alto Networks, to unpack Jingle Thief a cloud-only, identity-driven campaign that turned Microsoft 365 into a gift card printing press. Stav explains how the Morocco based group known as Atlas Lion lived off the land inside M365 for months at a time, using tailored phishing and smishing pages, URL tricks, and internal phishing to compromise one user and quietly pivot to dozens more. Together, David and Stav walk through how the attackers abused legitimate identity features like device registration, MFA resets, inbox forwarding rules, and ServiceNow style access requests to blend into normal business workflows and monetize “digital cash” in the form of gift cards. They dig into why MFA alone is not safety, why identity is now the real perimeter, and how behavioral analytics, UEBA, and ITDR can piece together small signals into a clear story of compromise. You’ll come away with practical steps to harden identity posture, spot early warning signs in cloud environments, and protect high value systems where trust can be turned directly into profit. To go deeper on this campaign and the Atlas Lion threat actor, read the Unit 42 article Jingle Thief Inside a Cloud-Based Gift Card Fraud Campaign at https://unit42.paloaltonetworks.com/cloud-based-gift-card-fraud-campaign/
Protect yourself from the evolving threat landscape – more episodes of Threat Vector are a click away
Full Transcript
David Moulton: Welcome to Threat Vector, the Palo Alto Networks podcast where we discuss pressing cybersecurity threats and resilience and uncover insights into the latest industry trends. I'm your host, David Moulton, Senior Director of Thought Leadership for Unit 42.
Stav Setty: Identity compromise means that the attackers are targeting you. They're not targeting a machine or a service. They're targeting you. They're looking to compromise accounts. And, in this case of Atlas Lion, every new identity that they compromise, they turn that into money. Identity attacks are not a future problem. They're a today problem. They're happening now. And we saw in Jingle Thief that one compromised account quickly turned into dozens of compromised accounts in a matter of months, if you're not monitoring behavior. So it really shows the importance of monitoring your identity behavior. And the highlight of this attack is that it's entirely in the cloud. Attackers don't need exploits. They don't need malware. They just need to compromise identities.
David Moulton: Today I'm speaking with Stav Setty, Principal Researcher at Palo Alto Networks. Stav and the Unit 42 research team recently uncovered a financially motivated operation they're calling Jingle Thief, a cloud-based campaign that exploited Microsoft 360 environments to commit large-scale gift card fraud targeting global retailers and consumer service enterprises. Today we're going to talk about how attackers leverage identity misuse, what this means for defenders in cloud-first world, and why campaigns like Jingle Thief are reshaping how we think about trust and persistence in cybersecurity. Stav, welcome to the Threat Vector. I'm really excited to have you here this morning.
Stav Setty: Thanks, David. I'm really happy to be here.
David Moulton: So. Before we get into this Jingle Thief campaign -- and, by the way, love the name. I think that it's super memorable. Can you talk to me about your work as a principal researcher here and how you and your team approach uncovering threat actor behavior.
Stav Setty: Yeah. Of course. So I'm part of the Cortex Research team, the UEBA and ITDR team. And what we do is we focus on identity threats. So that means we look into how users are compromised, and we try and find a way to detect that behavior.
David Moulton: What got you interested in that particular focus area in security?
Stav Setty: I think it feels a little bit more real to me because I'm a user, and I can get attacked at any point. So I kind of feel that that kind of -- those kind of attacks are interesting, more so than attacking a machine because I feel that I can relate to them a little bit more. And I also think that identity attacks are just the next big thing. I think all the attacks nowadays are heading towards identity land. And it's really interesting to me to research all these cases, and I'm lucky to be part of that.
David Moulton: So today we're going to talk about this Jingle Thief campaign, which is really centered around identity based cloud compromise and gift card fraud. And I wanted to start with the basics, you know, for the listeners. What exactly is the Jingle Thief campaign? You know, some folks maybe haven't read the research that we've got out on the Unit 42 Threat Research Center. What was it that first drew the Cortex Research's team to this specific activity?
Stav Setty: The Jingle Thief campaign is a campaign that we found very fascinating, and it came up because of our Cortex ITDR alerts that were raised. And what makes it so interesting is it's attackers going after gift cards, and they were able to steal and target gift cards from some of the biggest retail brands that you know. So that's really fascinating. And what makes it even more fascinating is that this is in the cloud. There's no malware. There's no exploits. They're purely living in Microsoft 365, which is a bit unusual because nowadays you don't see that too often with the gift card fraud. And, yeah. So they would try and target retailers or just anyone that can issue gift cards.
David Moulton: Stav, you mentioned something, and I want to make sure that we don't go screaming by it. You said the four letters, ITDR. And, for those who are not part of our parlance, our jargon every day, what is ITDR real quick?
Stav Setty: Okay. So ITDR stands for identity, threat, detection, and response; and it's all about detecting identity attacks such as the Jingle Thief attack. And we'll talk more about that.
David Moulton: Yeah. Super important here, and it was the technical capability of the Cortex platform that you're referring to. I just wanted to make sure that, you know, if you're -- if you're not in the business all the time of our shortcuts that you knew what that was. All right. Let's get back to Jingle Thief real quick. Who's behind this, this campaign? Talk to me about the threat actor.
Stav Setty: Yeah. So we're pretty sure that this group is what people know as Atlas Lion. This Lion is a Moroccan-based group. They've been active since 2021. And while we don't have 100% attribution, I say for the purposes of this shot, let's call them Atlas Lion. What do you think?
David Moulton: Yeah. That works for me. And you said Moroccan-based financially motivated. That's probably part of the crime side of cyberattacks, not necessarily something tied to a state actor. What distinguishes the campaign from maybe some of the other financially motivated operations that we've been looking at recently?
Stav Setty: I think there's a few things. I think the first thing is the patience and the discipline. They stay months within an organization. In one case we saw, we saw them active in an organization for over 10 months, which is really crazy. That kind of patience made us go, hey. This is really something different here. I think another aspect is the Living Off the Land in Microsoft 365. It's all cloud. That's a little bit unusual as well. And, lastly, it's the gift card aspect. The gift card theft, a lot of times financially motivated actors will go for ransomware. And this was all about gift cards.
David Moulton: Okay. And so they are looking at these gift cards as a way of -- of getting their money. Talk to me about how you go from stealing gift cards because that seems like a limited way of financing your operation to, you know, are they selling them? Are they demanding that the retailer buy them back? Like, what's the path to monetization?
Stav Setty: Yeah. So I think that's kind of like the golden question here is why would you target gift cards in the first place? And that's exactly what my team asked when we first saw this. We just didn't really get it at first. And I actually think it's -- at the end of the day, it's a perfect solution for them. So what they're going to do is they're going to issue gift cards, and they're going to sell them later in underground markets. Why do they target gift cards? Because, when you think about it, gift cards are just digital cash with no traceability. They're easy to resell; and there's no noise, and they're impossible to trace. So, if I redeem them, you have no PII associated to them. So that's what makes them so perfect.
David Moulton: Okay. So, if I play this back, you go in. You're in an environment. You're not necessarily noisy; you're persistent. Maybe you've got some technical chops. And then, instead of locking things up, demanding some sort of ransom dealing with a crypto, you basically issue yourself a payday. You know, I'm going to go ahead and type in a half a million dollars or $100,000 here, there. And then later on, when the -- when the heat's off, so to speak, you can then start to sell those out. And you're basically cashing out this digital cash that no one can really trace to an actual payment. You're no longer holding the stolen goods. You're financed. So it is kind of a low-stakes operation, and it -- I don't want to say it's the perfect crime, but it feels like it's starting to make more and more sense why Atlas Lion and maybe others are looking at gift cards as this weak spot inside of some enterprises where they can go have a payday.
Stav Setty: Definitely. It's like they're an easy way to print -- print cash. All they need is an identity, and they can just print their own money.
David Moulton: So let's talk about how some of these attacks got in. What was the initial access? You know, was it -- was it phishing? Was it smishing? Did they go out and buy identities? Walk me through that process a little bit.
Stav Setty: So initial access here, exactly what you said. It was SMS phishing, smishing and phishing. And we actually found -- on my team, we investigated it and found the PHP email sender that the attacker used. And, in those logs, we saw the emails and the SMS messages that went out from Moroccan IP addresses, which was really cool to see that. And you know that smishing and phishing are pretty common, right? So what kind of makes this kind of unique? There's a few things here that made the initial access really interesting. I think the first one is how highly tailored the pages, the phishing pages were. They used actual branding fonts, layouts from each target. So they really did their homework here. And these fake Microsoft 365 pages look identical to the company's pages, which is crazy. Like, I don't think there's any way for the employees to tell a difference. So not only did they do their homework but they also did something called the URL at sign trick. Have you heard of that before?
David Moulton: No. Talk me through that.
Stav Setty: So the URL at sign trick is really interesting. You could have a URL, like, company login at sign random domain.com. And, if I'm a user at a company, I'll see the company login on the left side of the at sign. Like, let's say it's Palo Alto Networks. I'll see that, and I'll be like, hey. That's pretty legitimate. But the browser will actually go to what's on the right side. So company login at sign random domain.com, that random domain.com is actually what my browser is going to navigate to, which means that --
David Moulton: Oh.
Stav Setty: -- the user will be fooled.
David Moulton: Yeah.
Stav Setty: And the browser will actually go to the malicious domain that the attacker controls. So I think that's a super interesting technique that they used, and it's not that common also.
David Moulton: When you're talking about identity theft and identity attacks, in some way they're also attacking the identity of the organization, the fonts, the domains, the way that things look such that they can steal a legitimate identity from that company or from that employee. Like, that feels like it's a next level phishing attack, beyond almost a phishing attack. It's something different. Or am I just kind of behind on where normal phishing, quote, unquote normal phishing is at.
Stav Setty: I think normal phishing can definitely be less tailored. So I think that's what makes this so dangerous is how tailored it is to the organization. I think that's, yeah. That's kind of the most interesting aspect here. They really tried to make you believe that they're the actual organization because they really did their homework here. And there were actually a few other things that made them really successful. It's the -- all the reconnaissance that they did. It's the outside notation, and it's also -- they would also use compromised WordPress domains to look -- to look legit. So they would put their phishing pages there, and that made the security tools ignore it; and the users would fall for it. So the phishing here was actually pretty smart. And they would also go through multiple rounds of phishing, and they would refine it over and over again until they got it right. And all they needed was one credential. They just needed one compromised user. And, once they had one compromised user, it's game over.
David Moulton: Talk to me about the maybe seasonal or behavioral patterns that made Atlas Lion's social engineering tactics really effective.
Stav Setty: Yeah. So what was really interesting here is that they would target their attacks, and that's kind of why we call them Jingle Thief, during the holiday season, right? So, during the holiday rush, you have limited employees. You have a lot of noise and distraction, and that's kind of what helped them be so successful here. Something else that's really interesting is that during the holiday periods of a lot of temporary employees. And these temporary employees are new, right, so they don't have a behavioral baseline, which makes them a lot harder to detect. And so no -- no behavioral baseline, but they have a lot of high permissions. So they're able to issue gift cards. That makes them the perfect targets.
David Moulton: So what you're saying is, like, I get hired in to go work at a large retailer. One of my jobs is to work in this issuing, this -- this area that's basically printing digital money. People are paying for gift cards. They want to go exchange those during the holidays. And systems are going, well, we don't really have much of what normal looks like for David, the new employee. And, if I get popped, if I get compromised, then the system's like, oh. Well, he's just issuing these -- these massive gift cards. That seems pretty normal. He's been doing that for a while. And, even then, the best security systems don't have the critical data of a normal baseline to be able to go, Hey. We should flag this. This is -- this is wildly inappropriate that, you know, Moulton's out there putting out $60,000 gift cards left and right.
Stav Setty: Exactly.
David Moulton: Is that right? Like, that -- oh. Man. Like, you know, I don't often say this but, like, this is a really clever attack. Like, this is a -- this is a way to really, you know, come in and use all the advantage that they have and then targeting it during the holiday season when things are really busy just makes it fly right under the radar.
Stav Setty: Yeah.
David Moulton: You mentioned earlier in our conversation that you'd observe -- or you and the team had observed Atlas Lion sitting in an environment for quite a while. I think you said 10 months in one case. What is it about this group that lets them sit in an environment for so long and go undetected?
Stav Setty: Yeah. So I think that's actually the most fascinating part of this whole campaign, right? That Atlas Lion is in an organization for over 10 months is actually crazy. And the way that they do it is they abuse Microsoft 365 identity features. For example, let's say I am an attacker from Atlas Lion, and I have credentials. Okay. So, after I get the credentials and the initial access, the first thing I'm going to do is enroll my device. And, if I enroll my device, I'll be able to bypass MFA from here on out. And it's really smart because the victim can reset their password, but the attacker still has a trusted device. So that's kind of their first step is how can I get my device there. So, yeah. Device registration is number one. The next thing that they'll do is they will add Exchange inbox forwarding rules. Have you heard of those before?
David Moulton: I want to say I ran across that in our research, but I didn't fully understand it. So hopefully the audience will -- will humor me here. Can you walk me through what that is? Because it seems like it's both pretty common, but also kind of a clever attack.
Stav Setty: Yeah. Exactly. So Exchange forwarding rules will allow you to forward emails from one mailbox to an external address. So what the attacker would do here is they would add all -- they would basically set up a forwarding rule to forward all emails to their own personal attacker control address, and that allows them to have ongoing visibility of the mailbox. So that's a really great technique that they will use. And it's pretty common. I think that organizations should really monitor all inbox rule creations because it's a pretty smart tactic and a very common tactic.
David Moulton: So I think there's this misconception that I'm being disabused of when I talk to, you know, folks like yourself. I talked to Margaret Kelly about cloud attacks not too long ago. And there's this idea that cloud environments are really secure, you know. And, as you're talking about it, it's like, okay. These attackers get inside of Microsoft 365. They're attacking. They're Living Off the Land. Why is it that the legitimate cloud services seem so appealing to attackers today?
Stav Setty: Yeah. That's a great question. And I think that attackers really love the cloud because all their valuable data lives there. Like, if you think of your own cloud, you have SharePoint documents. You have all your emails. All your data is there, right? So it makes it the perfect target. And, specifically Atlas Lion, they would use Microsoft 365 as their reconnaissance playground. They would turn SharePoint into their own personal scavenger hunt. So they would look for a lot of internal documents on gift card workflows or VPN documentation, MFA guides, you name it; basically everything they needed to operate like an insider. And so they have a full map now of business processes, and they're able to really blend in now. And it's not just SharePoint. They'll also get -- we saw, like, such a high amount of emails accessed by Atlas Lion in a really short amount of time. So now that they have all this business information, they're eventually able to issue gift cards looking legitimate. They learned all about the gift card workflows, what portals there are; and they can really operate like a legitimate user.
David Moulton: So, basically, once they get in, because all the information is there, it acts as a instruction manual, one-stop shop of how to rip off the company because legitimate users actually need all that information to operate. They want to look legitimate, and that further makes it difficult for you to detect them, I imagine. Did they go a step further and give themselves higher access than that original user initially had?
Stav Setty: Yeah. They definitely did. And they would do something really clever. And it would really also blend in, kind of like the SharePoint documents. What they would do is they would, hey. So now I have all your emails, I can see how you tend to normally ask for permissions. For example, ServiceNow, I saw that you created a few ticket requests over the past week. Let me do the exact same. So that's -- Atlas Lion, would do the exact same and escalate their permissions via ServiceNow ticket request. And for IT that looks completely legitimate, completely normal because this user has done that in the past. So, yeah. That's a really smart way of doing it. And it's not hacking. It's kind of like abusing the business process.
David Moulton: Yeah. It's not quite hacking. It's not quite social engineering. It's somewhere in a gray space between those two things, but it certainly shows that they have a level of discipline to stay undetected. What were some of the other things that they did to evade, you know, detection and hide their activity once they were inside?
Stav Setty: Right. So the first thing is, because they're entirely in the cloud, there's already no malware, which means that all of your ADR solutions are completely blind to this, right? So that's number one. The second thing that they would do is they would -- a big element here was internal phishing. We didn't mention it yet, but what they would do is they would send out internal phishing emails for lateral movement; and then they would delete those emails. And the internal phishing was really successful because there's a lot of implicit trust. If your coworker emails you, that's instant credibility; and nobody really suspects anything. So they went from one account to dozens of accounts by that -- from that. It's like a game of cyber tag, going from one victim to the next launch point. And so, to hide their traces of that, they would just clean up the mailboxes. So they would send out -- send out a phishing email and move that email from Sent items to Deleted items. And let's say there was like an alert of phishing. They would also delete that from the inbox completely. So they would really try and hide their traces, and they did a really great job at it.
David Moulton: How did the behavior analytics, you mentioned the UBA earlier and ITDR tools help play a role in this because it seems like they're going to a lot of trouble specifically to target folks that don't have a baseline to delete things, to act with a normal ServiceNow ticket request, right? Like, there's a lot about this that just appears to be normal day-to-day activity within an organization. And, yet, there had to be some indicator. There had to be a little bit of noise here and there that you could string together. And I'm really curious what tripped them up that allowed you to get on their scent trail.
Stav Setty: Exactly. So it is very legitimate-looking activity, right? So, if I create an inbox rule -- I create inbox rules all the time. That's pretty legitimate. But what the whole idea of behavioral analytics is to build a profile for the user. So let's say I have a profile for the user of the locations that they log in from, and I have a user that constantly logs in from the United States. All of a sudden, they're logging in from Morocco. Based on that baseline, I can flag this activity; and that's kind of what behavioral analytics does. And maybe that alone, the unusual location login is not strong enough on its own. We'll take lots of different small signals like that and put them together. So I can have a first login from Morocco for that user, a first inbox rule creation, a new MFA enrollment, a new device registration. I take all those things together, and they create a clear compromise story. And that's what UEBA and ITDR really shine in.
David Moulton: That's pretty cool. It's basically finding enough bits and pieces of evidence that, when put together, that jigsaw of data becomes a really clear this is a problem specifically. And I imagine, like, once -- once you started seeing that, you're able to then say, like, how do we find other things that give us that confidence. Like, earlier you said attribution is hard, but you're pretty confident and then to start to see where that happens elsewhere, I know the attackers exploited legitimate identity mechanisms like device REG and password self-service. What are some of the lessons that security teams need to take away from this attack and this misuse of trust?
Stav Setty: That's a great question. I think the first thing is a lot of times security teams will say, hey. MFA, that equals safety. And I think it's really important to recognize that MFA is not safety. It's not safe. And they should really monitor every new password reset, every new device enrollment. All that things -- all that needs to be monitored. And it's not enough just to be like, Hey. That user logged in with MFA. It's safe.
David Moulton: So, Stav, Jingle Thief is a really powerful example of identity based compromise. What does that concept mean in practical terms, though?
Stav Setty: Yeah. So identity based compromise means that the attacker will target you. They're not going to target a machine or a service. They're going to target you. And, once they have your credentials, like we saw earlier when we talked about their internal phishing, they have all your permissions now and your trust. So they can email your coworker; and your coworkers will immediately trust it, right? So it's not really a system takeover. It's a process takeover. In Jingle Thief we saw that legitimate workflows were used in abnormal ways to turn identity directly into profit. And this is like -- the Jingle Thief case I think is a really good example of why identity is a new perimeter.
David Moulton: From a defensive perspective, what practical steps can enterprises take today to reduce their exposure to these identity based attacks like Jingle Thief?
Stav Setty: So I think there's a few things you can do. I think number one I would say is what we talked about before, about ITDR and UEBA. Behavioral analytics is so important. Because this is entirely in the cloud, endpoint detection is not going to help you at all. You need to track who's logging in, where they're logging in from, how their behavior changes over time. I think that's number one most important. I think also in the case of Jingle Thief posture really matters as well. I would make sure to look at what permissions users have. Like, can everybody issue gift cards, and limit that. And, lastly, I think that identity compromise happens really fast, so you need to make sure to act fast because you can get -- you can go from one compromised user to 100 compromised users in the matter of a very short time.
David Moulton: So, really, it's -- it's thinking about this idea of don't over rely on an MFA. And then, as you're looking at your controls, especially since you're attacking a user, you know, one compromise can very much snowball -- keep it into that holiday theme -- into hundreds of users very, very quickly. That's a -- this is a tricky one to defend against, for sure. But I keep coming back to this idea that you were able to find enough evidence through behavioral analytics, through ITDR and paint that picture such that you don't -- you don't have any idea how you're leaking so much money on the gift card side of things. You've mentioned a couple times that Jingle Thief has been traced back to this Moroccan infrastructure, you know, through IPs, through ASN patterns. How valuable is that kind of intelligence in ongoing threat tracking?
Stav Setty: So I think that it's super valuable because it allows you to have a fingerprint to connect the dots across multiple incidents. So I'm consistently seeing Moroccan ASNs throughout multiple organizations. I can look for those ASNs and be able to connect the dots the same campaign as, like, the main value. And I think that what was super interesting in this case is that you saw Atlas Lion connecting consistently from Moroccan ASNs. And it's kind of funny because they didn't even try and hide their location. I mean, there were a few US proxy cases but very few of them. And it shows confidence because they kind of know that geo -- like, geolocation alerts are so often ignored. And I find that -- found that really interesting.
David Moulton: So, Stav, looking ahead, do you expect that financially motivated campaigns like this will evolve in new ways or maybe even have copycats that try to use these same attack techniques?
Stav Setty: Yeah. Definitely. I think so. I think that they're going to keep adapting, and we expect that any platform where trust can be turned to profit to be used. So, for example, today might be Microsoft 365; but in the future it'll expand to more cloud platforms. And today they're targeting gift cards; but in the future it can be loyalty programs. It can be really any system that has digital currency, anywhere that identity can turn into money.
David Moulton: Stav, one last question here. Are there any early warning signs that defenders should watch for as attackers continue to weaponize cloud trust?
Stav Setty: Yeah. I think definitely there are a lot of warning signs in the identity behavior. You have to look at device enrollments, MFA factor editions, inbox rules, all of that. I strongly suggest monitoring all of those. Yeah. I think that's the best -- the best thing to prioritize is identity layer.
David Moulton: Stav, thanks for this awesome conversation today. I learned so much. And, you know, thanks for the patience from the audience as you had to unpack a few things for me that were a little bit more technical. I really appreciate you coming in and sharing your insights on the Jingle Thief campaign and specifically how identity based cloud fraud is reshaping at least my perspective of cybersecurity strategy. This one seems like it's kind of a weak spot that we need to really focus on or suffer the consequences.
Stav Setty: Thank you so much, David. It was great being here.
David Moulton: And we'll go ahead and make sure that there's a link to the Jingle Thief campaign and the Threat Research Center in our show notes. That's it for today. If you like what you heard, please subscribe wherever you listen. And leave us a review on Apple Podcasts or Spotify. Those reviews and your feedback really do help me understand what you want to hear about. If you want to contact me directly about the show, email me at threatvector@ paloaltonetworks.com. I want to thank our executive producer, Mike Heller; our content and production teams, which include Kenne Miller, Joe Bettencourt, and Virginia Tran. Original music and mix by Elliott Peltzman. We'll be back next week. Until then, stay secure. Stay vigilant. Goodbye for now.
