Moroccan cybercriminals operating under various aliases—including “Jingle Thief,” “Atlas Lion,” and “Storm-0539”—have intensified their attacks against global retailers by deploying cloud-native attack chains designed to exploit cloud identity systems and gift card infrastructure. These campaigns leverage deceptive phishing tactics and abuse legitimate Microsoft 365 workflows, allowing threat actors to remain undetected for prolonged periods. According to multiple threat intelligence sources, the result has been millions of dollars in losses for compromised organizations.
Sophisticated Phishing Kicks Off Cloud-Native Attacks
The threat actors at the heart of the Jingle Thief campaign are based in Morocco and exhibit a high degree of operational maturity, rivaling techniques typically employed by nation-state advanced persistent threats (APTs). Rather than deploying malware, these cybercriminals engage in sophisticated social engineering.
Phishing and Smishing Launch Initial Access Vectors
The entry point for many intrusions begins with spear-phishing emails or SMS-based phishing (smishing). Victims are lured to meticulously-crafted phishing pages mimicking Microsoft 365 login portals. These fraudulent portals are often hosted on compromised WordPress servers or other seemingly benign infrastructure, with cleverly formatted URLs that obscure their malicious nature.
Once credentials—including multifactor authentication (MFA) tokens—are stolen, the attackers authenticate as legitimate users, setting the stage for persistent cloud-based exploitation.
Living Off the Cloud: Exploiting Microsoft 365 and Entra ID
What distinguishes the Moroccan hackers’ campaigns is their exclusive reliance on cloud-native techniques. Rather than installing malware or triggering endpoint defenses, the attackers use sanctioned cloud features and identity services to achieve their objectives.
Cloud Reconnaissance and Privilege Abuse
With valid credentials in hand, threat actors immediately move to perform reconnaissance across Microsoft 365 environments, specifically targeting:
- OneDrive, SharePoint, and internal file shares
- Gift card issuance portals and workflows
- Ticketing systems and financial approval processes
- User lists for lateral phishing
To further their access and credibility, attackers manipulate inbox rules to divert relevant emails, delete phishing messages, and monitor communications around gift card issuance. These changes enable stealthy surveillance of key business processes.
Persistent Access Through Entra ID Abuse
To extend their foothold, attackers exploit Microsoft Entra ID self-service flows. By registering rogue authentication applications and enrolling malicious devices, they bypass MFA and regain access even after password resets or revoked sessions.
In certain cases, they use these credentials to enroll their own virtual machines (VMs) into the victim’s cloud environment. This tactic, observed by researchers at The Record, embeds attacker-controlled infrastructure directly into the organization’s domain, making detection significantly harder.
The End Game: Fraudulent Gift Card Issuance at Scale
The ultimate goal of these operations is unauthorized access to gift card issuance platforms. Once inside, threat actors are able to:
- Issue high-value gift cards to themselves
- Monitor email workflows to avoid detection
- Sell cards on gray markets or use them to launder funds
Notably, the Unit 42 report highlights that IP logs frequently tie back to Moroccan telecommunications providers, including MAROCCONNECT, MT-MPLS, and ASMedi. Researchers confirmed recurring device fingerprints and consistent login patterns, with attackers often avoiding anonymization services like VPNs—though Mysterium VPN occasionally appeared in access logs.
Losses from compromised enterprises can be substantial. As reported by Tech Times, some companies have lost up to $100,000 per day to these deception-based gift card thefts, underscoring the financial impact of successful intrusions.
Technical Attribution and Threat Actor Profiles
The cybercriminal group behind these campaigns is collectively tracked under multiple identifiers:
- CL-CRI-1032
- Atlas Lion
- Storm-0539 (Microsoft naming)
- Jingle Thief (campaign-specific label)
Activity attributed to these entities dates back to at least late 2021. The Rescana and Cybernews reports emphasize the actors’ distinct use of reused domain patterns, credential phishing infrastructure, and their patience—maintaining a presence inside victim networks for months at a time.
Researchers suggest that these hackers intentionally avoid malware in favor of cloud-trusted paths, reducing forensic evidence and complicating response. In one case, over 60 user accounts were compromised across a global enterprise over a 10-month period.
Cybersecurity Recommendations for Defenders
The Jingle Thief campaign, in addition to its technical sophistication, exploits weaknesses in identity and access management (IAM)—an area where many organizations remain vulnerable.
To defend against these Moroccan cybercriminals and similar campaigns, experts recommend:
- Implementing Conditional Access Policies : Restrict logins by geography or unmanaged devices.
- Strengthening Identity Governance : Monitor for anomalous device registrations and application grants in Entra ID.
- Enhancing Email and URL Filtering : Block known phishing infrastructure and suspicious domain formats.
- Deploying Cloud Security Posture Management (CSPM) Tools : Continuously monitor for privilege misuse and lateral phishing attempts.
- Conducting Frequent Employee Awareness Training : Especially for those in financial approval workflows or gift card systems.
With financial motivation driving advanced cyber deception, businesses—particularly in retail and consumer services—must treat credential security and cloud monitoring as frontline concerns. As the Moroccan gift card theft campaigns show, attackers can inflict lasting damage using nothing more than stolen email credentials and persistent access to under-guarded cloud services.
