Atlas Lion Infiltrates Cloud Infrastructure: Novel Attack Targets Retail Gift Cards
Do Son 
Experts at Expel have uncovered a novel tactic employed by the cybercriminal group known as Atlas Lion, which has been targeting large retail chains, clothing brands, and restaurant franchises. Rather than attacking from the outside, these threat actors disguise their activities as legitimate internal operations—registering their own virtual machines within corporate cloud infrastructure.
Atlas Lion (also tracked as Storm-0539) employs a cunning approach: they begin by distributing fraudulent SMS messages, purportedly from a company’s technical support team. These messages include links to spoofed websites where employees are tricked into entering their login credentials, passwords, and even multi-factor authentication (MFA) codes. Once acquired, the attackers immediately leverage this information to gain access and enroll their own devices into the company’s MFA system, thereby establishing persistent access to the network.
At one stage of the attack, the hackers used 9 out of 18 compromised accounts to register their authentication applications. They then created a virtual machine under their own Microsoft Azure account and joined it to the victim organization’s domain. Due to Windows’ native behavior, the machine was automatically recognized as a legitimate corporate device.
This tactic allowed Atlas Lion to bypass conventional defenses designed to block unmanaged endpoints. However, a requirement to install corporate security software backfired on them: Microsoft Defender was automatically deployed and flagged the machine’s IP address, which had previously been marked as malicious. This alert enabled the incident to be swiftly detected and the attackers removed from the network.
Nonetheless, within mere hours, the group re-used the stolen credentials to regain access. This time, their focus shifted to reconnaissance: they began reviewing internal documents on Bring Your Own Device (BYOD) policies, VPN configurations, and endpoint management protocols—clearly preparing for a more stealthy infiltration through a virtual machine in the future.
In parallel, Atlas Lion continued to pursue its primary objective—stealing gift cards. Expel researchers observed heightened interest in the internal processes surrounding the issuance, redemption, and exchange of gift cards, as well as in fraud prevention measures. The attackers appeared intent on understanding these mechanisms in detail, enabling them to bypass protections and generate new gift card codes efficiently.
Such tactics have been documented in previous reports from Microsoft. It was noted that Atlas Lion not only forges device identities but also exploits publicly available documents from nonprofit organizations—such as IRS letters—to secure discounts on cloud services, thereby reducing infrastructure costs.
Typically, the group fabricates fraudulent gift cards and either cashes them out via intermediaries or resells them at discounted rates to other criminals. According to Microsoft estimates, this scheme alone can net the attackers up to $100,000 per day per targeted company.
Atlas Lion exemplifies how cybercrime has evolved alongside cloud computing, weaponizing legitimate business processes for malicious gain. The success of such attacks often hinges less on technical sophistication and more on the group’s ability to embed itself within routine enterprise workflows—quietly and with precise timing.
