A newly uncovered attack campaign has been targeting global retailers and businesses issuing gift cards, leaving security experts with a stark warning about the evolving nature of cyber threats.

The suspected Morocco-based attackers have been using cloud-only techniques to evade traditional malware detection methods and endpoint hacking. Instead, they rely on phishing and smishing tactics to harvest account credentials, before utilizing trusted cloud services to bypass security measures.

"Once they gain access to an organization, they pursue the type and level of access needed to issue unauthorized gift cards," noted Palo Alto Networks researchers, who dubbed this campaign 'Jingle Thief' due to its focus on conducting gift card fraud during festive seasons.

The attack chain begins with phishing. Employees at targeted companies receive spear-phishing emails or SMS messages that lead them to fake login portals mimicking legitimate services like Microsoft 365.

"After harvesting credentials in the campaign we observed, the attackers authenticated to Microsoft 365 directly and began navigating the environment, with no malware required," the researchers shared.

The attackers then search for internal documents about gift-card issuance workflows, ticketing systems, and internal processes. They also try to gain access to other employees' accounts, using the initially compromised account to send out phishing emails that are more likely to be trusted and go undetected by security solutions.

To hide their actions from both users and defenders, they move the sent phishing emails immediately from Sent Items to Deleted Items, and move replies from users from Inbox to Deleted Items. They also set up inbox rules that forward emails to email accounts they control, allowing them to monitor for changes in gift card approvals, financial workflows, and IT ticketing.

Finally, to assure persistence beyond password resets and session revocations, they use self-service flows to reset passwords (when needed) and silently register additional devices in Entra ID and rogue authenticator apps so they can bypass multi-factor authentication requirements.

"The ultimate goal of these varied tactics – phishing, inbox control, mail exfiltration and rogue device registration – is to obtain and monetize gift cards at scale," the researchers believe. "In the campaign we observed, the attackers made repeated access attempts against multiple gift-card issuance applications. They tried to issue high-value cards across different programs in order to monetize them, and possibly use the cards as collateral in money-laundering schemes – effectively turning digital theft into untraceable cash or short-term loans."

Unit 42 attributes the activity, with moderate confidence, to financially motivated actors based in Morocco. They believe that their activity partly overlaps with threat actors publicly tracked as Atlas Lion.

Palo Alto Networks has released indicators of compromise related to this campaign, and the researchers have advised companies in the retail and consumer-services sector to prioritize identity-based monitoring.

"Understanding user behavior, login patterns and identity misuse are increasingly essential for early detection and response," they concluded.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!