In a coordinated effort, Microsoft’s Digital Crimes Unit (DCU) and Cloudflare have successfully disrupted one of the fastest-growing Phishing-as-a-Service (PhaaS) operations — RaccoonO365 (also tracked by Microsoft as Storm-2246). This takedown involved the seizure of 338 domains and the dismantling of supporting infrastructure, cutting off access to a phishing platform that had stolen thousands of Microsoft 365 credentials worldwide.
This post walks through what RaccoonO365 was, how it operated, who was behind it, what the disruption entailed, and what lessons users and organisations should take away.
Table of Contents
What Was RaccoonO365?
Phishing-as-a-Service (PhaaS) Model
RaccoonO365 was essentially a subscription-based phishing toolkit — a PhaaS offering that lowered the barrier for attackers with minimal technical skills to carry out large-scale credential theft campaigns.
Subscribers could:
- Send phishing emails crafted to mimic Microsoft (or other brands)
- Host fake login pages that harvested credentials
- Deploy anti-bot, CAPTCHA, or evasion techniques
- Bypass some multi-factor authentication (MFA) mechanisms
- Use the stolen credentials and session cookies for further attack chains
The platform even claimed to enable persistent access and MFA bypass through proxying authentication flows.
Scale & Reach
Since July 2024, RaccoonO365 was used to steal at least 5,000 Microsoft 365 credentials across 94 countries. The toolkit allowed customers to target up to 9,000 email addresses per day, enabling high-volume campaigns.
Notably:
- A tax-themed phishing campaign targeted over 2,300 U.S. organizations.
- At least 20 U.S. healthcare organizations were hit, raising concerns about patient safety, data breaches, and service disruption.
The evidence suggests that the service became quite popular, with a private Telegram channel boasting over 850 members. Microsoft estimated revenues of at least $100,000 in cryptocurrency from subscriptions.
How Did the Operation Work?
Infrastructure & Concealment
One of RaccoonO365’s strengths was how it masked its back-end infrastructure:
- Many phishing domains and servers were hosted behind Cloudflare’s services, reverse proxying the real servers and making direct tracing difficult.
- Attackers used Cloudflare Workers and suspended accounts to further obscure the real origin.
- The service incorporated anti-bot and CAPTCHA steps in the initial stage, which also helped avoid simplistic automated detection.
Phishing Flow & Credential Theft
A typical attack path looked like this:
- The victim receives a crafted email (e.g., a tax notification, invoice, internal memo) with a link, QR code, or attachment.
- The link directs them through a CAPTCHA or bot-checking page (to filter non-human visitors).
- The user is then sent to a convincing fake Microsoft (or other service) login page, where they input credentials.
- Behind the scenes, the phishing tool proxy’s the login to Microsoft’s servers (as a man-in-the-middle), harvesting not just the password but session cookies that let the attacker bypass MFA or sustain access.
- Once inside, the attacker can exfiltrate data, gain lateral movement, escalate privileges, deploy malware or ransomware, or sell access to others.
This model allowed even non-technical actors to run effective phishing campaigns at scale.
Who Was Behind RaccoonO365?
Attribution & Identity
Microsoft’s investigation attributed the operation to Joshua Ogundipe, a Nigeria-based programmer believed to be the author of much of the phishing software.
A security lapse — namely the revealing of a cryptocurrency wallet used by the criminals — enabled Microsoft to trace transactions and make connections.
Microsoft partnered legally with Health-ISAC — a healthcare sector cybersecurity non-profit — chiefly because many healthcare organizations had been targeted.
Legal Actions
In August 2025, Microsoft filed a lawsuit naming Ogundipe and four unnamed associates (John Does 1–4).
They also obtained a court order from the U.S. Southern District of New York to seize domains and disable infrastructure.
Because Ogundipe is outside U.S. jurisdiction, the restraining orders have limited immediate effect. Microsoft has also issued a criminal referral to international law enforcement.
The Disruption: How Microsoft & Cloudflare Did It
Domain Seizure & Infrastructure Takedown
- Microsoft, via DCU, secured a court order to seize 338 domains linked to RaccoonO365.
- Cloudflare disabled associated Worker scripts, suspended user accounts, banned the domains, and deployed interstitial “phish warning” pages.
- The coordinated takedown began in early September and was largely completed by September 8.
Strategic Shift
Cloudflare described this as more than a reactive domain takedown — instead, it represented a shift toward proactive disruption of a threat actor’s operational infrastructure.
Microsoft also secretly purchased the phishing kits and used them to trace fund flows and infiltration paths, helping link digital evidence to real-world identities.
Impact & Limitations
- The disruption cut off criminals’ access to victim systems via those domains.
- It forced them to rebuild infrastructure from scratch, raising their operational costs and risk.
- But resilience remains a concern: attackers can re-emerge, adapt, or use new platforms. Microsoft cautions that such takedowns are not permanent eliminations.
What Can Users & Organizations Learn?
1. Phishing Is a Persisting Threat
Even though domain seizures are disruptive, the fundamental tactic — social engineering via email — remains powerful. Just because a toolkit is busted doesn’t mean phishing stops.
2. Always Validate Before You Click
- Check sender addresses and domain names carefully.
- Do not click links or open attachments in unsolicited or suspicious emails.
- Verify via alternate channels (phone, known portal) if something seems odd.
3. Use Strong Authentication & Monitoring
- Enable multi-factor authentication (MFA) wherever possible. Even when credentials are stolen, MFA adds friction.
- Monitor for unusual login activity, especially from new devices or geographic locations.
- Use modern email security filters and anti-phishing solutions to block malicious messages early.
4. Employ Least-Privilege & Segmentation
- Restrict user access to minimize damage if credentials are compromised.
- Segment networks and data stores so attackers can’t traverse easily from one area to another.
5. Incident Readiness & Response
- Establish incident response plans for when a breach occurs.
- Ensure you have logging, forensic, and traceability tools in place to detect anomalies early.
- Conduct regular security awareness training among employees.
Why This Matters: Broader Implications
- The rise of PhaaS platforms like RaccoonO365 signals a worrisome shift: lowering the barrier to entry for cybercrime. Even low-skill actors can mount dangerous campaigns using rented toolkits.
- The success of a joint legal-technical takedown shows how collaboration between private industry and legal systems can have real impact.
- But defensive strategies must evolve: domain takedowns alone can’t keep pace with adaptive attackers. Proactive threat modeling, infrastructure-level disruption, and resiliency are needed.
- Targeting sectors like healthcare underscores that attacks aren’t limited to financial gain—but can have real-world consequences, such as disrupted patient care or leaks of sensitive medical data.
Conclusion:
The disruption of RaccoonO365 represents a milestone in the battle against phishing-as-a-service operations. By seizing domains, dismantling infrastructure, and following the digital breadcrumbs back to real identities, Microsoft and Cloudflare have delivered a serious blow to a high-volume credential theft platform.
Source:
https://www.darkreading.com/application-security/microsoft-disrupts-raccoono365-phishing-service
https://securityboulevard.com/2025/09/microsoft-dcus-takedown-of-raccoono365/
https://thehackernews.com/2025/09/raccoono365-phishing-network-shut-down.html
https://www.helpnetsecurity.com/2025/09/17/microsoft-disrupts-raccoono365-phishing/
https://www.theregister.com/2025/09/16/microsoft_cloudflare_shut_down_raccoono365/
