Jingle Thief: Cloud Identity Tradecraft in Microsoft 365 and Entra ID

Jingle Thief is a financially motivated campaign that operated almost entirely within Microsoft 365 tenants. After credential theft via phishing and smishing, the threat actors conducted cloud reconnaissance across SharePoint and OneDrive, expanded compromise through internal phishing, manipulated mailbox rules, and established persistence via device registration and authentication method changes in Entra ID.

This session analyzes Jingle Thief as a cloud identity intrusion model rather than a traditional fraud case study. We will examine how native Microsoft 365 and Entra ID functionality was abused to scale compromise, sustain long-term access, and evade detection. The talk concludes with practical detection and monitoring considerations across Exchange Online, SharePoint, OneDrive, and Entra ID telemetry.

The Jingle Thief campaign represents a modern evolution in financially motivated threat activity: a cloud-first intrusion model operating almost exclusively within Microsoft 365 and Entra ID.

Initial access was achieved through phishing and smishing campaigns targeting Microsoft 365 credentials. Once inside a tenant, the actors immediately shifted to cloud-based reconnaissance, mining SharePoint and OneDrive for internal documentation related to gift card issuance processes and operational workflows.

Using compromised internal accounts, the actors conducted additional phishing to expand access across the organization. Mailbox rules and forwarding settings were configured to maintain operational awareness, while phishing artifacts were moved to Deleted Items to reduce visibility.

Persistence was established through device registration within the tenant and modification of authentication methods in Entra ID, enabling sustained access even as credentials were reset. In one observed case, the intrusion persisted for approximately ten months and involved more than sixty compromised accounts.

This talk focuses on the identity-layer mechanics of the campaign and examines: • The Microsoft 365 and Entra ID attack lifecycle observed in victim tenants • Abuse of collaboration platforms for reconnaissance and operational scaling • Mailbox rule manipulation and internal phishing tradecraft • Device registration and authentication method modification as persistence mechanisms • Investigation challenges unique to cloud-only intrusions • Detection and monitoring considerations across Exchange Online, SharePoint, OneDrive, and Entra ID logs

Rather than presenting a traditional fraud narrative, this session reframes Jingle Thief as a cloud identity tradecraft model and discusses what defenders must instrument and monitor to detect similar activity.