Stav Setty
Stav Setty is a Principal Security Researcher on the ITDR team at Palo Alto Networks. Her work focuses on identity-centric intrusion analysis across cloud and enterprise environments and translating real-world tradecraft into actionable detection guidance
Session
Jingle Thief is a financially motivated campaign that operated almost entirely within Microsoft 365 tenants. After credential theft via phishing and smishing, the threat actors conducted cloud reconnaissance across SharePoint and OneDrive, expanded compromise through internal phishing, manipulated mailbox rules, and established persistence via device registration and authentication method changes in Entra ID.
This session analyzes Jingle Thief as a cloud identity intrusion model rather than a traditional fraud case study. We will examine how native Microsoft 365 and Entra ID functionality was abused to scale compromise, sustain long-term access, and evade detection. The talk concludes with practical detection and monitoring considerations across Exchange Online, SharePoint, OneDrive, and Entra ID telemetry.