Raccoon’s Microsoft 365 Phishing Operation Shut Down
Microsoft’s Digital Crimes Unit (DCU), working with Cloudflare, has dismantled RaccoonO365, a phishing-as-a-service (PhaaS) operation responsible for stealing over 5,000 Microsoft 365 credentials across 94 countries since July 2024.
🔍 Key Actions:
- Court order (Southern District of New York): Enabled seizure of 338 domains used by the network
- Cloudflare takedown: Banned domains, placed “phish warning” interstitials, terminated Worker scripts, suspended accounts
- Timeline: Sept 2–8, 2025
📌 About RaccoonO365 (aka Storm-2246):
- Sold on subscription: $355 for 30 days / $999 for 90 days
- Customers could target up to 9,000 emails/day
- Mimicked trusted brands (Microsoft, DocuSign, Adobe, Maersk)
- Used Cloudflare Turnstile CAPTCHA + Workers to filter bots and only allow real victims
- Enabled MFA bypass and persistent access
👤 Attribution:
- Mastermind: Joshua Ogundipe (Nigeria)
- Exposed via an operational security lapse that revealed a crypto wallet
- Earned $100,000+ in crypto, sold 100–200 subscriptions (likely an underestimate)
- Criminal referral submitted to international law enforcement
⚠️ Impact:
- Over 2,300 U.S. organizations targeted, including 20+ healthcare entities
- Used in campaigns delivering malware & ransomware (Latrodectus, GuLoader, BruteRatel C4)
- Recently advertised AI-powered AI-MailCheck service to boost phishing sophistication
📢 Cloudflare’s Position:
This takedown represents a strategic shift from reactive, single-domain actions to large-scale proactive disruption, raising operational costs for cybercriminals.
💡 Why it matters
RaccoonO365 demonstrates how PhaaS commoditizes cybercrime, making large-scale phishing accessible to low-skill actors. Proactive public-private partnerships are vital to dismantle such infrastructure before it evolves further.
At Alcaeus Services, we help organizations prepare against phishing-as-a-service threats, strengthen identity protection, and deploy layered defenses.
Comments are closed