The Gift Card Grinch Uncovered in the Jingle Thief Campaign

Summary

The Jingle Thief campaign, orchestrated by the Morocco-based threat actor CL-CRI-1032, has been exploiting Microsoft 365 cloud environments to conduct large-scale gift card fraud since 2021. The group, overlapping with Atlas Lion and STORM-0539, primarily targets retail and consumer service organizations worldwide, leveraging phishing and smishing attacks to steal credentials and perform fraudulent transactions.

Operating under a financial motivation, CL-CRI-1032 focuses on compromising cloud-based infrastructures, maintaining persistent access within victim environments—often for over a year—without detection. The attackers specialize in brand impersonation, credential harvesting, and multi-factor authentication (MFA) bypass, allowing them to move laterally and execute large-scale gift card theft and resale operations.

Attack Details

Campaign Overview

• Threat Actor: CL-CRI-1032 (linked to Atlas Lion / STORM-0539)
• Active Since: 2021
• Targeted Regions: Global
• Primary Sectors: Retail and Consumer Services
• Objective: Financial gain through gift card fraud, credential theft, and cloud compromise

Attack Chain

1. Initial Access – Phishing and Smishing:
   CL-CRI-1032 delivers phishing emails and SMS lures crafted using legitimate branding elements and cloned login portals. These messages redirect victims to fake Microsoft 365 authentication pages designed to capture login credentials.
2. Cloud Exploitation:
   Once inside the organization’s Microsoft 365 ecosystem, the attackers perform extensive reconnaissance, gathering details about internal branding, domain structures, and email workflows. This intelligence helps craft realistic phishing templates that bypass traditional security filters.
3. Persistence and Evasion:
   • Mailbox Manipulation: The attackers delete sent messages and move user responses to “Deleted Items” to hide activity.
   • Authenticator Abuse: They register rogue authenticator apps and enroll their own devices in Entra ID (Azure AD) to maintain persistence—even after password resets or session token revocations.
   • MFA Bypass: By manipulating app registrations and device tokens, they effectively neutralize MFA protection.
4. Monetization – Gift Card Fraud:
   The attackers use compromised credentials to access gift card issuance systems, generating or redeeming cards which are later sold on underground marketplaces. Gift cards remain an ideal target due to ease of resale, anonymity, and minimal traceability.
5. Long-Term Access:
   CL-CRI-1032 has demonstrated sustained infiltration, remaining embedded in compromised environments for extended periods—frequently exceeding 12 months—before detection.

Recommendations

1. Monitor for Anomalous Cloud Activity

Continuously audit Microsoft 365 and other cloud environments for:

• Unusual logins (geographic anomalies or impossible travel patterns).
• Unauthorized device enrollments in Entra ID (Azure AD).
• Privilege escalation or the creation of new admin accounts.
  Use behavioral analytics and threat-hunting tools to detect deviations from baseline user behavior.

2. Harden Entra ID and Cloud Configurations

• Regularly review and restrict app registrations and OAuth permissions.
• Implement conditional access policies to block sign-ins from unapproved regions or unmanaged devices.
• Enable risk-based sign-in detection and MFA enforcement for high-privilege accounts.

3. Enhance Email Security and Awareness

• Deploy advanced phishing detection and anti-spam filters across all mail systems.
• Enable URL scanning, attachment sandboxing, and real-time link protection.
• Train employees to verify unusual requests related to gift card purchases or access credentials.

4. Segment Critical Networks and Limit Access

• Enforce network segmentation between administrative, financial, and customer systems.
• Apply least-privilege principles and periodic access reviews to minimize lateral movement potential.
• Monitor outbound data transfers and API activity for anomalies that could indicate data exfiltration or fraud.

Indicators of Compromise (IoCs)

IPv4 Addresses:
105[.]156[.]109[.]227, 105[.]156[.]234[.]139, 105[.]157[.]86[.]136, 105[.]158[.]226[.]49,
105[.]158[.]237[.]165, 160[.]176[.]128[.]242, 160[.]178[.]201[.]89, 160[.]179[.]102[.]157,
196[.]64[.]165[.]160, 196[.]65[.]139[.]51, 196[.]65[.]146[.]114, 196[.]65[.]172[.]48,
196[.]65[.]237[.]97, 196[.]74[.]125[.]243, 196[.]74[.]183[.]81, 196[.]77[.]47[.]232,
196[.]89[.]141[.]80, 41[.]141[.]201[.]19, 41[.]250[.]180[.]114, 41[.]250[.]190[.]104,
70[.]187[.]192[.]236, 72[.]49[.]91[.]23

Phishing URL Patterns:

• hxxps[:]//[brand-name][.]com[@][.]/portal/
• hxxps[:]//[brand-name][.]com[@][.]/workspace
• hxxps[:]//[brand-name][.]servicenow[.]*/*access
• hxxps[:]//[.]com[.]ng/[brand-name][.]com/home/
• hxxps[:]//organization[.]com[@]malicious[.]cl[/]workspace

MITRE ATT&CK TTPs

References

• Unit 42 – Cloud-Based Gift Card Fraud Campaign