Atlas Lion is a financially motivated cybercrime threat actor that has been active since at least 2024. The threat actor is known to find and exploit credentials and use those stolen identities to infiltrate enterprise cloud systems, mostly Microsoft Azure and M365 environments. Once inside, they conduct extensive recon of the business's gift card systems, policies and departments. Their ultimate goal is to use the acquired access and knowledge to issue gift cards, which has reportedly reached up to $100,000 a day in fraudulent cards.
Initial access is typically achieved through targeted smishing or phishing campaigns impersonating internal IT or helpdesk communications. Victims are lured to convincing phishing pages that harvest credentials, inclusive of valid MFA codes or cookie sessions, enabling the threat actor to authenticate in real time. In several observed cases, Atlas Lion used this access to register their own devices as trusted assets and spin up virtual machines for persistence and staging of later attack chain tactics. This allows the group to operate from infrastructure that appears compliant and corporate-owned, reducing the likelihood of immediate detection.
With persistent access established, Atlas Lion conducts internal reconnaissance focused on business processes rather than reliance on malware or further lateral movement. The group searches internal documentation, SharePoint sites, and knowledge bases to identify gift card issuance systems, approval workflows, and fraud controls. Once these processes are understood, the threat actor moves to fraud execution For example, if a limit is $100,000, the threat actor will issue a card for $99,000 then send themselves the gift card code and monetize them by selling them online at a discounted rate.
CISO Perspective
Atlas Lion highlights a shift toward threat actors operating as legitimate users by abusing cloud identities and device enrollment to blend into trusted environments and target high-value business processes. These techniques bypass traditional defenses, making misuse of legitimate access difficult to detect.
To counter these threats, retail and gift card organizations should prioritize security assessments focused on identity and device integrity. Rapid forensic detection is essential to identifying and neutralizing cloud-based abuse at its earliest stages.
TTPs
All of the details below are also available in our GitHub repository, which provides background on each observed technique along with corresponding MITRE ATT&CK mappings, making it easy to map these insights directly to your cloud logs.
MITRE ATT&CK Mapping
Tactic
Technique
MITRE ID
Procedure (Context)
Resource Development
Acquire Infrastructure: Domains
T1583.001
Created 200+ domains mimicking Okta, ServiceNow, etc. Used typosquatting and cPanel takeovers of WordPress sites.
Resource Development
Acquire Infrastructure: VPS
T1583.003
Rented VPSs via SERVERCENTRAL, DIALHOST, and ZAM LTDA ASNs to host phishing infrastructure.
Resource Development
Acquire Infrastructure: Server (Cloud)
T1583.004
Used free-trial and pay-as-you-go cloud accounts to spin up VMs for attack infrastructure.
Resource Development
Establish Accounts
T1585
Impersonated US nonprofits using spoofed websites and real IRS 501(c)(3) letters to get sponsored cloud resources.
Resource Development
Obtain Capabilities: Tool
T1588.002
Utilized Gophish and custom AiTM kits themed after Okta, Microsoft, Salesforce, and Telegram.
Initial Access
Phishing (Smishing)
T1566
Targeted work/personal phones via SMS. Used compromised internal distribution lists to send phishing from trusted addresses.
Initial Access
Adversary-in-the-Middle (AiTM)
T1557
Proxy pages captured credentials and session tokens in real-time, relaying auth to legitimate services to bypass MFA.
Credential Access
Steal Web Session Cookie
T1539
Intercepted MFA session cookies from identity providers to enable account takeover without MFA codes.
Credential Access
Modify Auth Process: MFA
T1556.006
Registered actor-controlled devices to victim accounts so MFA prompts were routed to the attacker.
Persistence
Account Manipulation: Device Registration
T1098.005
Registered own devices to Entra ID environments to maintain access that survives password resets.
Discovery
Account Discovery
T1087
Researched gift card issuance processes, internal guides, and specific employees with portal access.
Discovery
Cloud Infrastructure Discovery
T1580
Mapped VMs, VPNs, SharePoint/OneDrive, Salesforce, and Citrix environments post-compromise.
Discovery
Cloud Service Discovery
T1526
Researched federated identity providers to convincingly replicate sign-in flows.
Lateral Movement
Remote Services: SSH
T1021.004
Stole SSH keys and passwords from compromised accounts to pivot toward gift card systems.
Lateral Movement
Valid Accounts: Cloud Accounts
T1078.004
Used legitimate compromised employee cloud accounts to access business processes and gift card portals.
Impact
Financial Theft
T1657
Fraudulently generated gift cards (up to $100K/day). Cards sold on the dark web or cashed out via money mules.
Incident Response Steps
Here are several practical, universal, and high-impact steps to prepare for and respond to cloud-based attacks, including the TTPs mentioned above (this list isn’t exhaustive, but it highlights key areas where defenders can focus their efforts):
Conditional Access Policies: Implement compliant device requirements, ensuring only company-managed hardware can access sensitive gift card portals. Furthermore, systems used for issuing gift cards should only be accessible via allowlisted IP addresses.
Log Aggregation: Ensure UserLoggedIn, TokenIssuedAtTime, and MailboxLogin events are being ingested into a SIEM for long-term retention (e.g., 180+ days).
Identify Impossible Travelers: Use identity protection, while also alerting on logins from geographically distant locations within a short timeframe (e.g., a login from Atlanta and Morocco 20 minutes apart).
Audit Managed Devices: Regularly check for newly registered or unknown devices in Microsoft Entra ID or similar cloud console.
Audit VMs: Regularly review existing and newly created VMs as a potential indicator of a threat actor using resources for later stage attacks.
Revoke Tokens: Simply changing a password is not enough. You must revoke all active sessions to force the threat actor's stolen token to expire.
Remediate Rogue Devices: Remove any unauthorized devices registered by the threat actor to prevent them from re-authenticating.
Gift Card Audit: Contact the gift card service provider or department to freeze and void any high-value cards issued during the window of compromise.
Identity Proofing: Require the affected employee to verify their identity via a secondary, out-of-band channel (like a video call) before restoring full access.
If you spot any of these TTPs or indicators in your environment, or just want to become incident-ready in the cloud, contact our team. We’ll help you tighten your Azure, M365 or Entra defenses, refine your IR runbook, and stay ahead of Atlas Lion or other cloud-focused adversaries.
About Invictus Incident Response
We are an incident response company and we ❤️ the cloud and specialize in supporting organizations in preparing and responding to a cyber attack. We help our clients stay undefeated!
