The Jingle Thief campaign, conducted by financially motivated threat actors from Morocco, targets global enterprises in retail and consumer services sectors to execute gift card fraud. Using phishing and smishing tactics, the attackers gain access to Microsoft 365 environments, exploiting cloud services for reconnaissance, lateral movement, and persistence. They focus on compromising gift card issuance systems, leveraging internal documentation and communication channels. The campaign demonstrates sophisticated techniques, including tailored phishing, internal email manipulation, and device registration abuse. The attackers maintain long-term access, sometimes over a year, making detection challenging. Their activities often align with holiday periods to maximize impact.