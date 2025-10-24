Organizations in retail and consumer services around the world are having their cloud environments targeted by the cybercriminal operation Jingle Thief to facilitate extensive gift card fraud , reports The Hacker News

Malicious emails and SMS messages have been deployed by Jingle Thief hackers which are associated with the Atlas Lion threat operation, also known as Storm-0539 to compromise organizations' Microsoft 365 credentials, according to a Palo Alto Networks Unit 42 report. Such credentials were then used for further reconnaissance aimed at the organizations' OneDrive and SharePoint instances to pilfer sensitive data related to financial processes, business operations, VPN configurations, and gift card issuance workflows, among others.

Hacked accounts were exploited by Jingle Thief to deliver more internal phishing messages spoofing IT service notices, with attackers also establishing inbox rules for automated email forwarding while promptly moving sent emails to the Deleted Items folder.

"Gift card fraud combines stealth, speed and scalability, especially when paired with access to cloud environments where issuance workflows reside," said Unit 42 researchers.