The November edition of the Unit 42 Threat Bulletin is live. Find new content and expert perspectives on the latest threats in this packed issue.
Welcome to the November edition of the Unit 42 Threat Bulletin, where we take a look into the threat landscape to surface insights for security leaders. I’m Mitch Mayne, Editor in Chief of the Threat Bulletin and Cybersecurity Research Principal for Unit 42.
This month, we spoke with Senior Principal Researcher Matt Brady about the Scattered LAPSUS$ threat group and what trends to expect next year. Threat Intelligence Manager Richard Emerson explores recent supply chain attacks, and our threat researchers bring us up to date on Jingle Thief retail attacks.
Mitch Mayne: We have seen several high-impact supply chain attacks recently, so this topic is front of mind for many CISOs. This intrusion was not confirmed as a supply chain attack, but it raised many of the same concerns. What makes it worth watching?
Richard Emerson: While we have not observed downstream impact at this point, the concern is that follow-on effects may emerge over time. A highly capable nation-state actor gaining access to a vendor’s development or engineering environment often indicates an intelligence-gathering objective, and it may also signal an interest in reaching customers who rely on that vendor’s technology. It highlights the ongoing appeal of one-to-many compromise.
MM: What does the timeline tell us about how these attacks unfold?
RE: Public reporting suggests the attackers maintained access for an extended period before the intrusion was discovered. The point is that these operations are long-running, whether or not they evolve into full supply chain incidents. Persistent access often provides attackers with insights and opportunities that become visible only much later.
MM: What steps can security leaders take to strengthen resilience against supply chain risk?
RE: Beyond proactive measures like maintaining a robust Cybersecurity Supply Chain Risk Management program, organizations need to operate from an “assume breach” mindset and plan for containment. Zero Trust principles, strong segmentation, and least-privilege access help reduce the chance that a single vendor exposure disrupts operations or cascades across business lines. At the leadership level, it is critical to quantify the risk being outsourced and ensure that those risks align with the company’s tolerance, continuity plans, and regulatory obligations. That alignment is what turns technical controls into business resilience.
“Is collaboration across companies and countries actually working? Or is it something we’re doing to be polite in a world of competing incentives, intellectual property battles and revenue goals?”
Frenemies With Benefits
Mitch Mayne: What should we know at a glance?
Stav Setty & Shachar Roitman: This campaign shows how attackers are turning identity into a direct path to profit. They phish employees with convincing Microsoft 365 login pages, harvest credentials, and then operate entirely inside the cloud with no malware or endpoint activity. Once inside, they use legitimate tools to stay hidden, create inbox rules, and quietly issue high-value gift cards across multiple programs. Those cards are quickly resold or laundered, which results in immediate financial loss for the business. The key point is that this fraud happens inside trusted business workflows. These are not system takeovers but process takeovers, where normal permissions are used in abnormal ways. It is a reminder that for modern enterprises, identity has become both the new perimeter and a direct source of financial exposure.
MM: What makes this attack stand out?
SS&SR: The accessibility. Practically any employee who can issue a gift card becomes a potential target. The attackers do not need to compromise an executive or administrator. All they need is one account with the right business function. That is especially true in retail environments where seasonal hiring expands the workforce and creates many new cloud identities in a short time. Once the attackers are inside, they often stay for months. We have seen cases where they quietly operated for nearly a year, learning how systems work and striking again when the business is most vulnerable, such as during peak shopping periods. They are disciplined and financially motivated, and they use legitimate tools to stay under the radar. For CISOs, the concern is visibility. Gift card systems often sit outside centralized monitoring and can span multiple brands or vendors. This makes credential misuse hard to detect until significant losses have already occurred.
MM: What is the big picture here?
SS&SR: Gift cards may seem like a narrow target, but this campaign reflects a broader trend in financial crime. Attackers are exploiting trust in cloud identities to turn access into money. Today the focus is gift cards, but the same methods could apply to loyalty programs, payroll systems, or vendor credits. Once credentials are stolen, they are often sold on dark web marketplaces, giving other actors a foothold in the business.
MM: What should CISOs take away from this research?
SS&SR: CISOs should focus on three things. First, treat identity permissions like financial controls and limit who can issue or approve high-value transactions. Second, monitor for subtle identity anomalies such as MFA resets, new device enrollments, or inbox forwarding rules. Third, invest in behavioral analytics that flag when legitimate users start behaving in risky ways. The Jingle Thief campaign highlights how attackers are monetizing access from inside trusted systems. Strengthening identity governance is no longer just a technical objective. It is essential to protecting revenue, brand trust, and continuity of operations.
UNIT42 THREAT BULLETIN