Microsoft’s Digital Crimes Unit stated it teamed up with Cloudflare to coordinate the seizure of 338 domains utilized by RaccoonO365, a financially motivated risk group that was behind a phishing-as-a-service (Phaas) toolkit used to steal greater than 5,000 Microsoft 365 credentials from 94 nations since July 2024.
“Utilizing a court docket order granted by the Southern District of New York, the DCU seized 338 web sites related to the favored service, disrupting the operation’s technical infrastructure and chopping off criminals’ entry to victims,” Steven Masada, assistant basic counsel at DCU, stated.
“This case reveals that cybercriminals do not have to be subtle to trigger widespread hurt – easy instruments like RaccoonO365 make cybercrime accessible to just about anybody, placing thousands and thousands of customers in danger.”
The preliminary part of the Cloudflare takedown commenced on September 2, 2025, with extra actions occurring on September 3 and September 4. This included banning all recognized domains, putting interstitial “phish warning” pages in entrance of them, terminating the related Employees scripts, and suspending the consumer accounts. The efforts have been accomplished on September 8.
Tracked by the Home windows maker below the title Storm-2246, RaccoonO365 is marketed to different cybercriminals below a subscription mannequin, permitting them to mount phishing and credential harvesting assaults at scale with little to no technical experience. A 30-day plan prices $355, and a 90-day plan is priced at $999.
The operators additionally declare that the instrument is hosted on bulletproof digital non-public servers with no hidden backdoors (in contrast to, say, BulletProofLink), and that it is “constructed for severe gamers solely – no low-budget freeloaders.”
Based on Morado, campaigns utilizing RaccoonO365 have been lively since September 2024. These assaults sometimes mimic trusted manufacturers like Microsoft, DocuSign, SharePoint, Adobe, and Maersk in fraudulent emails, tricking them into clicking on lookalike pages which are designed to seize victims’ Microsoft 365 usernames and passwords. The phishing emails are sometimes a precursor to malware and ransomware.
Essentially the most troubling side, from a defender’s standpoint, is using professional instruments like Cloudflare Turnstile as a CAPTCHA, in addition to implementing bot and automation detection utilizing a Cloudflare Employees script to guard their phishing pages, thereby ensuring that solely supposed targets of the assault can entry and work together with them.
Earlier this April, the Redmond-based firm warned of a number of phishing campaigns leveraging tax-related themes to deploy malware resembling Latrodectus, AHKBot, GuLoader, and BruteRatel C4 (BRc4). The phishing pages, it added, have been delivered through RaccoonO365, with one such marketing campaign attributed to an preliminary entry dealer known as Storm-0249.
The phishing campaigns have focused over 2,300 organizations in america, together with a minimum of 20 U.S. healthcare entities.
“Utilizing RaccoonO365’s companies, prospects can enter as much as 9,000 goal e-mail addresses per day and make use of subtle strategies to bypass multi-factor authentication protections to steal consumer credentials and achieve persistent entry to victims’ techniques,” Microsoft stated.
“Most not too long ago, the group began promoting a brand new AI-powered service, RaccoonO365 AI-MailCheck, designed to scale operations and improve the sophistication – and effectiveness – of assaults.”
The mastermind behind RaccoonO365 is assessed to be Joshua Ogundipe, a person primarily based in Nigeria, who, alongside along with his associates, has marketed the instrument on an 850-member robust Telegram channel, receiving at least $100,000 in cryptocurrency funds. The e-crime group is believed to have offered about 100-200 subscriptions, though Microsoft cautioned it is possible an underestimate.
The tech large stated it was capable of make the attribution courtesy of an operational safety lapse that inadvertently uncovered a secret cryptocurrency pockets. Ogundipe and 4 different co-conspirators presently stay at massive, however Microsoft famous {that a} felony referral for Ogundipe has been despatched to worldwide regulation enforcement.
Cloudflare, in its personal evaluation of the PhaaS service, stated the takedown of a whole lot of domains and Employee accounts is aimed toward growing operational prices and sending a warning to different malicious actors who might abuse its infrastructure for malicious functions.
For the reason that disruption, the risk actors have introduced that they’re “scrapping all legacy RaccoonO365 hyperlinks,” urging their prospects who paid for a 1-month subscription to change to a brand new plan. The group additionally stated it’s going to compensate these affected by providing “one additional week of subscription” following the improve.
The “response represents a strategic shift from reactive, single-domain takedowns to a proactive, large-scale disruption aimed toward dismantling the actor’s operational infrastructure on our platform,” Cloudflare stated.
