Article illustration 1

In a coordinated strike against cybercrime infrastructure, Microsoft's Digital Crimes Unit (DCU) and Cloudflare's threat intelligence teams have dismantled RaccoonO365—a prolific Phishing-as-a-Service (PhaaS) operation responsible for stealing thousands of Microsoft 365 credentials since mid-2024. The takedown, executed in early September 2025, resulted in the seizure of 338 malicious websites and Cloudflare Worker accounts that powered the criminal service.

The Anatomy of a Phishing Empire

RaccoonO365 (tracked by Microsoft as Storm-2246) operated as a subscription-based criminal enterprise, renting sophisticated phishing kits through a private Telegram channel with over 840 members. For $355–$999 paid in cryptocurrency, clients received kits featuring CAPTCHA challenges and anti-bot techniques designed to mimic legitimate Microsoft login pages and evade security analysis.

Article illustration 2

RaccoonO365's Telegram channel used to distribute phishing kits (Cloudflare)

The service enabled attacks against:
- 5,000+ compromised accounts across 94 countries
- 2,300+ U.S. organizations in tax-themed campaigns
- 20+ U.S. healthcare networks, risking patient safety

Stolen credentials from OneDrive, SharePoint, and email accounts fueled ransomware deployments, financial fraud, and network intrusions. Microsoft's Steven Masada emphasized the human impact:

"Patient services are delayed, critical care is canceled, and sensitive data is breached—directly impacting lives while causing massive financial losses."

Attribution and Tactical Triumph

Microsoft traced RaccoonO365's operations to Nigerian national Joshua Ogundipe, a programmer believed to have authored the core infrastructure. A critical lapse—the accidental exposure of a cryptocurrency wallet—aided investigators in mapping payment flows totaling over $100,000. Cloudflare's analysis also revealed Russian-language artifacts, suggesting ties to Eastern European cybercriminals.

This operation follows Microsoft's May 2025 disruption of the Lumma stealer malware, highlighting tech giants' evolving playbook for dismantling criminal-as-a-service ecosystems. By neutralizing RaccoonO365, the coalition has severed a key enabler of credential theft that threatened critical infrastructure—particularly healthcare systems where phishing often precedes ransomware attacks. Yet as criminal referrals move through international legal channels, the takedown underscores how cybercrime's industrialization demands continuous, cross-industry vigilance.

Source: BleepingComputer