Microsoft Dismantles RaccoonO365 Phishing Service

Microsoft’s Digital Crimes Unit (DCU) has dismantled the infrastructure behind RaccoonO365, one of the fastest-growing phishing kit services designed to steal Microsoft 365 credentials. Using a court order from the Southern District of New York, Microsoft seized 338 websites linked to the operation, cutting off criminals’ access to victims and disrupting a cybercrime service that had become a global threat.

Microsoft explains, “This case shows that cybercriminals don’t need to be sophisticated to cause widespread harm—simple tools like RaccoonO365 make cybercrime accessible to virtually anyone, putting millions of users at risk.”

RaccoonO365, also tracked as Storm-2246, provides subscription-based phishing kits that mimic official Microsoft communications. “These let anyone—even those with little technical skill—steal Microsoft credentials by mimicking official Microsoft communications,” the report states.

Since July 2024, RaccoonO365 kits have been used to steal at least 5,000 Microsoft credentials across 94 countries. Attackers leveraged convincing phishing lures, including tax-themed campaigns targeting over 2,300 U.S. organizations, and, most concerning, attacks against at least 20 healthcare organizations. Microsoft warns: “In these attacks, patient services are delayed, critical care is postponed or canceled, lab results are compromised, and sensitive data is breached, causing major financial losses and directly impacting patients.”

Despite being marketed as a tool for low-skilled criminals, RaccoonO365 evolved rapidly, offering advanced features such as:

• Up to 9,000 target emails per day
• Techniques to bypass multi-factor authentication (MFA)
• A new AI-powered module, AI-MailCheck, designed to “scale operations and increase the sophistication—and effectiveness—of attacks.”

This combination of accessibility and sophistication allowed the platform to proliferate quickly.

As part of its investigation, Microsoft identified the operator of RaccoonO365 as Joshua Ogundipe, based in Nigeria. Ogundipe and his associates marketed the service through Telegram, where they had more than 850 members and received at least $100,000 in cryptocurrency payments.

The report notes, “A single RaccoonO365 subscription allows a criminal to send thousands of phishing emails a day—adding up to potentially hundreds of millions of malicious emails a year sent through this platform.”

Ogundipe’s background in computer programming and operational security lapses, including exposure of a cryptocurrency wallet, helped Microsoft trace his activity. A criminal referral has been sent to international law enforcement.

The disruption of RaccoonO365 demonstrates Microsoft’s evolving strategy for tackling cybercrime. The DCU combined:

• Court-ordered domain seizures
• Partnerships with firms like Cloudflare to take down infrastructure
• Blockchain forensics with Chainalysis Reactor to trace cryptocurrency payments

Microsoft acknowledges the broader challenge: “Today’s patchwork of international laws remains a major obstacle and cybercriminals exploit these gaps. Governments must work together to align their cybercrime laws, speed up cross-border prosecutions, and close the loopholes that let criminals operate with impunity.”

Related Posts:

• Microsoft Takes Down “ONNX” Phishing-as-a-Service Operation
• International Crackdown: Indian Authorities Dismantle Tech Support Scam Ring Targeting Elderly
• Justice Department Seizes 41 Domains Used by Russian Intelligence in Massive Cyber Espionage Takedown
• Global Crackdown: DoJ Seizes Crypting Services in Major Cybercrime Bust