In a significant blow to cybercrime, Microsoft’s Digital Crimes Unit (DCU), in collaboration with Cloudflare, has successfully dismantled the RaccoonO365 phishing network. This operation led to the seizure of 338 domains utilized by the threat group to orchestrate phishing attacks, resulting in the theft of over 5,000 Microsoft 365 credentials across 94 countries since July 2024.
Operation Details
Leveraging a court order from the Southern District of New York, the DCU effectively disrupted the technical infrastructure of RaccoonO365, severing the criminals’ access to their victims. Steven Masada, assistant general counsel at DCU, emphasized the accessibility of cybercrime tools like RaccoonO365, stating, This case shows that cybercriminals don’t need to be sophisticated to cause widespread harm – simple tools like RaccoonO365 make cybercrime accessible to virtually anyone, putting millions of users at risk.
The takedown operation commenced on September 2, 2025, with Cloudflare initiating the first phase. Subsequent actions on September 3 and 4 included banning all identified domains, implementing interstitial phish warning pages, terminating associated Workers scripts, and suspending user accounts. The comprehensive efforts concluded on September 8.
Understanding RaccoonO365
Identified by Microsoft as Storm-2246, RaccoonO365 operates under a subscription model, offering phishing-as-a-service (PhaaS) to cybercriminals with minimal technical expertise. Subscription plans are priced at $355 for 30 days and $999 for 90 days. The operators assert that their tool is hosted on bulletproof virtual private servers without hidden backdoors, distinguishing it from other services like BulletProofLink. They market it as built for serious players only – no low-budget freeloaders.
Phishing Tactics and Targets
Since September 2024, RaccoonO365 has been active, deploying campaigns that impersonate reputable brands such as Microsoft, DocuSign, SharePoint, Adobe, and Maersk. These fraudulent emails lure victims to counterfeit pages designed to capture Microsoft 365 usernames and passwords. Often, these phishing emails serve as precursors to malware and ransomware attacks.
A particularly concerning aspect is the use of legitimate tools like Cloudflare Turnstile as a CAPTCHA, coupled with bot and automation detection via Cloudflare Workers scripts. This strategy ensures that only intended targets can access and interact with the phishing pages, complicating detection and mitigation efforts.
Broader Implications
In April, Microsoft highlighted phishing campaigns exploiting tax-related themes to deploy malware such as Latrodectus, AHKBot, GuLoader, and BruteRatel C4 (BRc4). These campaigns utilized RaccoonO365, with one attributed to an initial access broker known as Storm-0249. Over 2,300 organizations in the United States, including at least 20 healthcare entities, have been targeted by these phishing campaigns.
RaccoonO365’s services enable customers to input up to 9,000 target email addresses daily and employ sophisticated techniques to bypass multi-factor authentication protections, facilitating credential theft and persistent access to victims’ systems. Recently, the group introduced an AI-powered service, RaccoonO365 AI-MailCheck, designed to scale operations and enhance the sophistication and effectiveness of attacks.
Attribution and Ongoing Efforts
The individual behind RaccoonO365 is believed to be Joshua Ogundipe, based in Nigeria. Along with his associates, Ogundipe has promoted the tool on a Telegram channel with over 850 members, receiving at least $100,000 in cryptocurrency payments. The group is estimated to have sold between 100 to 200 subscriptions, though Microsoft cautions this figure may be underestimated.
Microsoft’s attribution was facilitated by an operational security lapse that inadvertently exposed a secret cryptocurrency wallet. While Ogundipe and four co-conspirators remain at large, Microsoft has referred the case to international law enforcement agencies.
Cloudflare’s analysis of the PhaaS service indicates that the takedown of hundreds of domains and Worker accounts aims to increase operational costs for cybercriminals and serve as a warning to others who might misuse its infrastructure for malicious purposes.
Following the disruption, the threat actors announced they are scrapping all legacy RaccoonO365 links, urging customers with one-month subscriptions to switch to a new plan. They also offered compensation by providing one extra week of subscription after the upgrade.
Cloudflare stated that this response represents a strategic shift from reactive, single-domain takedowns to proactive, large-scale disruptions aimed at dismantling the actor’s operational infrastructure on their platform.
