Inside Jingle Thief Cloud Fraud Unwrapped [Threat Vector]

CyberWire Daily

N2K Networks, Inc.

Daily News, Tech News, News, Technology

4.6 • 1K Ratings

🗓️ 21 November 2025

⏱️ 34 minutes

🔗️ Recording | iTunes | RSS

🧾️ Download transcript

Summary

In this special episode of Threat Vector, host David Moulton, Senior Director of Thought Leadership for Unit 42, sits down with Stav Setty, Principal Researcher at Palo Alto Networks, to unpack Jingle Thief a cloud-only, identity-driven campaign that turned Microsoft 365 into a gift card printing press. Stav explains how the Morocco based group known as Atlas Lion lived off the land inside M365 for months at a time, using tailored phishing and smishing pages, URL tricks, and internal phishing to compromise one user and quietly pivot to dozens more. Together, David and Stav walk through how the attackers abused legitimate identity features like device registration, MFA resets, inbox forwarding rules, and ServiceNow style access requests to blend into normal business workflows and monetize “digital cash” in the form of gift cards. They dig into why MFA alone is not safety, why identity is now the real perimeter, and how behavioral analytics, UEBA, and ITDR can piece together small signals into a clear story of compromise. You’ll come away with practical steps to harden identity posture, spot early warning signs in cloud environments, and protect high value systems where trust can be turned directly into profit. To go deeper on this campaign and the Atlas Lion threat actor, read the Unit 42 article Jingle Thief Inside a Cloud-Based Gift Card Fraud Campaign at https://unit42.paloaltonetworks.com/cloud-based-gift-card-fraud-campaign/ Join the conversation on our social media channels: Website:⁠⁠⁠⁠⁠ ⁠⁠⁠⁠https://www.paloaltonetworks.com/⁠⁠⁠⁠⁠ Threat Research:⁠⁠⁠⁠⁠ ⁠⁠⁠⁠https://unit42.paloaltonetworks.com/⁠⁠⁠⁠⁠⁠⁠⁠⁠ Facebook:⁠⁠⁠⁠⁠ ⁠⁠⁠⁠https://www.facebook.com/LifeatPaloAltoNetworks/⁠⁠⁠⁠⁠⁠⁠⁠⁠ LinkedIn:⁠⁠⁠⁠⁠ ⁠⁠⁠⁠https://www.linkedin.com/company/unit42/⁠⁠⁠⁠⁠⁠⁠⁠⁠ YouTube:⁠⁠⁠⁠⁠ ⁠⁠⁠⁠⁠⁠⁠⁠⁠@paloaltonetworks⁠⁠⁠⁠ Twitter:⁠⁠⁠⁠⁠ ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠https://twitter.com/PaloAltoNtwks⁠⁠⁠⁠⁠⁠⁠⁠ About Threat Vector Threat Vector by Palo Alto Networks is your premier podcast for security thought leadership. Join us as we explore pressing cybersecurity threats, robust protection strategies, and the latest industry trends. The podcast features in-depth discussions with industry leaders, Palo Alto Networks experts, and customers, providing crucial insights for security decision-makers. Whether you're looking to stay ahead of the curve with innovative solutions or understand the evolving cybersecurity landscape, Threat Vector equips you with the knowledge needed to safeguard your organization. Palo Alto Networks Palo Alto Networks enables your team to prevent successful cyberattacks with an automated approach that delivers consistent security across the cloud, network, and mobile.⁠⁠⁠⁠⁠ ⁠http://paloaltonetworks.com.⁠ Learn more about your ad choices. Visit megaphone.fm/adchoices

Transcript

Click on a timestamp to play from that location

0:00.0	You're listening to the Cyberwire Network, powered by N2K.
0:09.8	Welcome to Thrutector, the Palo Alto Networks podcast where we discuss pressing cybersecurity threats and resilience and uncover insights into the latest industry trends.
0:20.9	I'm your host, David Moulton, Senior Director of Thought Leadership for Unif42.
0:25.5	Identity compromise means that the attackers are targeting you.
0:31.3	They're not targeting a machine or a service.
0:34.6	They're targeting you.
0:35.9	They're looking to compromise accounts. And in this case of Atlas
0:39.8	Lion, every new identity that they compromise, they turn that into money. Identity attacks are
0:48.0	not a future problem. They're a today problem. They're happening now. And we saw in Jinglefeeve
0:53.7	that one compromised account
0:55.5	quickly turned into dozens of compromised accounts in a matter of months if you're not monitoring
1:01.7	behavior. So it really shows the importance of monitoring your identity behavior. And
1:08.3	the highlight of this attack is that it's entirely in the cloud.
1:12.6	Attackers don't need exploits. They don't need malware.
1:15.6	They just need to compromise identities.
1:17.6	The Today, I'm speaking with Stav Sadi, principal researcher at Palo Alto Networks.
1:39.7	Stav and the Unif42 research team recently uncovered a financially motivated operation,
1:45.5	they're calling Jingle Thief, a cloud-based campaign that exploited Microsoft 360 environments
1:51.0	to commit large-scale gift card fraud targeting global retailers and consumer service enterprises.
1:57.0	Today we're going to talk about how attackers leverage identity misuse, what this means
2:02.1	for defenders in Cloud First World, and why campaigns like Jinglefeefe are reshaping how we think
2:07.5	about trust and persistence in cybersecurity.
	...

Please login to see the full transcript.

Previous episode | Next episode

Disclaimer: The podcast and artwork embedded on this page are from N2K Networks, Inc., and are the property of its owner and not affiliated with or endorsed by Tapesearch.

Generated transcripts are the property of N2K Networks, Inc. and are distributed freely under the Fair Use doctrine. Transcripts generated by Tapesearch are not guaranteed to be accurate.