Palo Alto Networks has documented a newly tracked criminal cluster dubbed Jingle Thief that systematically compromises cloud identities at retailers and consumer services companies to mass‑issue unauthorized gift cards and offload them on gray marketplaces. The operation prioritizes abusing Microsoft 365 and Entra ID controls rather than deploying endpoint malware, reducing the chance of detection by traditional EDR tools.
How Jingle Thief breaches retailers: phishing, Microsoft 365 reconnaissance, Entra ID persistence
Intrusions typically begin with targeted phishing and smishing aimed at harvesting employee credentials. With initial access to Microsoft 365, the actors conduct reconnaissance across SharePoint and OneDrive to locate internal procedures for gift card issuance and reconciliation, business and financial workflows, VPN configurations, and access runbooks.
To expand and maintain footholds, Jingle Thief sends lure emails from compromised mailboxes, creates auto‑forwarding rules, and hides traces by moving sent or forwarded messages into Deleted items. Notably, the cluster abuses Entra ID by registering fraudulent authenticators to sidestep MFA, and by adding attacker‑controlled devices to the directory to persist even after password resets and session token revocations.
Gift cards as low‑friction monetization with minimal detection
Gift cards remain attractive because they are easy to liquidate, require little personal data to redeem, and often generate low‑risk signals in fraud systems. This perceived “low toxicity” means unauthorized issuance can blend into legitimate seasonal activity, complicating response and forensics. Similar dynamics have been noted in Microsoft’s reporting on Storm‑0539 and related actors targeting retail gift card programs.
Scale, timing, and attribution: seasonal spikes linked to known clusters
Palo Alto Networks tracks the cluster as CL‑CRI‑1032 and, with moderate confidence, associates it with Atlas Lion and Storm‑0539, which Microsoft has previously warned about. Activity intensifies around major shopping periods and holidays, when gift card volumes peak. In coordinated attacks observed in April–May 2025, one victim experienced nearly 10 months of undetected access, with up to 60 user accounts compromised. Dwell time frequently spans months and can exceed a year, allowing extensive reconnaissance and staging before unauthorized card issuance.
MITRE ATT&CK techniques: identity abuse over malware
The operation’s tradecraft aligns to MITRE ATT&CK, including T1566 Phishing, T1078 Valid Accounts, T1098 Account Manipulation (MFA changes and device registration), T1114 Email Collection (forwarding rules), and T1021 Remote Services and lateral movement across Microsoft 365/Entra ID. The principal risk surface is cloud identity and SaaS control planes, not endpoints—demanding cloud‑centric monitoring and response.
Defenses for retail and consumer services: practical steps that work
Harden authentication and device registration
Adopt phishing‑resistant MFA such as FIDO2 security keys or certificate‑based auth; avoid SMS/voice as primary factors (as recommended by CISA and NIST SP 800‑63B). Disable self‑service registration of new authenticators and unmanaged devices in Entra ID, and require re‑authentication for high‑risk sign‑ins.
Tighten access and email controls
Enable Conditional Access with sign‑in risk evaluation, block legacy protocols (e.g., IMAP/POP/Basic), and disable external auto‑forwarding by default. Ingest mailbox rule change events into SIEM and alert on anomalous inbox rules, sudden spikes in forwarding, or mass rule creation from a single IP/ASN.
Apply least privilege to gift card systems
Use Just‑in‑Time and Just‑Enough Administration for operational teams. Review service account privileges regularly, segregate duties between issuance and reconciliation, and segment network and identity access to gift card management and accounting platforms.
Monitor Microsoft 365 and Entra ID for identity‑centric signals
Continuously monitor device registrations, MFA factor changes, issuance of long‑lived refresh tokens, unusual geographies and ASNs, and elevated activity in SharePoint/OneDrive tied to keywords like gift card, voucher, redemption, PIN. Correlate sign‑in anomalies with email rule changes and OAuth consent events. Microsoft 365 audit logs, Entra ID sign‑in logs, and Defender for Cloud Apps policies are key data sources.
Jingle Thief underscores a broader shift toward identity‑driven cybercrime in retail: attackers weaponize cloud permissions to quietly monetize gift cards at scale. Organizations that pair phishing‑resistant MFA, rigorous Conditional Access, least‑privilege controls for gift card workflows, and proactive Microsoft 365/Entra ID monitoring can materially shrink the attack window and prevent unauthorized issuance. Palo Alto Networks’ findings, together with prior Microsoft reporting on Storm‑0539, point to the same conclusion—defending the identity plane is indispensable to protecting modern retail operations.
