Jingle Thief: Unpacking Cloud Fraud and Identity-Driven Attacks
N2K NetworksNovember 20, 202533 min177 views
35 connections·40 entities in this video→The Jingle Thief Campaign
- 💡 The "Jingle Thief" campaign is a cloud-only, identity-driven operation by the Morocco-based group Atlas Lion.
- 🎯 This campaign exploits Microsoft 365 environments to commit large-scale gift card fraud against global retailers.
- 💰 Attackers monetize compromised accounts by issuing and selling gift cards, which are described as digital cash with no traceability.
Attack Methods and Persistence
- 🎣 Initial access is gained through highly tailored phishing and smishing pages, often using the "URL at sign trick" to deceive users.
- ⏳ Attackers demonstrate extreme patience, remaining active within an organization for over 10 months.
- ⚙️ They abuse legitimate Microsoft 365 identity features like device registration (to bypass MFA) and exchange inbox forwarding rules for ongoing visibility.
- 🕵️ The campaign leverages
Knowledge graph40 entities · 35 connections
How they connect
An interactive map of every person, idea, and reference from this conversation. Hover to trace connections, click to explore.
Hover · drag to explore
40 entities
Chapters14 moments
Key Moments
Transcript120 segments
Full Transcript
Topics15 themes
What’s Discussed
Jingle ThiefAtlas LionCloud FraudIdentity-Based AttacksMicrosoft 365Gift Card FraudPhishingSmishingURL at sign trickMFA BypassInbox Forwarding RulesBehavioral AnalyticsUEBAITDRLiving off the Land
Smart Objects40 · 35 links
Events· 4
People· 5
Companies· 7
Products· 5
Concepts· 15
Locations· 3
Media· 1