Microsoft Shuts Down RaccoonO365 Phishing-as-a-Service, Names Leader
▼ Summary
– Microsoft and Cloudflare disrupted the RaccoonO365 phishing service by seizing 338 websites through a court order from the Southern District of New York.
– RaccoonO365 sold subscription-based kits that enabled attackers to impersonate trusted brands and steal Microsoft 365 credentials, bypassing multi-factor authentication.
– Microsoft identified the group’s leader, Joshua Ogundipe, after purchasing the kits and tracking cryptocurrency transactions, aided by an operational security lapse revealing a secret wallet.
– The service operated on a tiered pricing model accepting cryptocurrencies, earning at least $100,000, and continued evolving with new features like AI-MailCheck.
– Microsoft has filed a lawsuit against Ogundipe and associates, sent a criminal referral to international law enforcement, and plans further legal actions to dismantle any reemerging infrastructure.
A major phishing-as-a-service operation known as RaccoonO365 has been successfully dismantled through a joint effort by Microsoft and Cloudflare. This criminal enterprise specialized in selling subscription-based phishing kits designed to steal Microsoft 365 account credentials from unsuspecting users. A court order issued by the Southern District of New York enabled the seizure of 338 websites linked to the service, effectively crippling its technical infrastructure and cutting off access for cybercriminals.
Steven Masada, Assistant General Counsel at Microsoft’s Digital Crimes Unit, confirmed the takedown, emphasizing the importance of disrupting such malicious services. The RaccoonO365 kit, also tracked as Storm-2246, provided ready-made phishing tools that allowed even low-skilled attackers to impersonate trusted brands like DocuSign, Adobe, and Maersk. These attackers could then set up convincing fake login pages to harvest user credentials and session cookies.
One of the most dangerous features of the kit was its ability to bypass multi-factor authentication. By acting as an adversary-in-the-middle, the phishing kit intercepted authentication flows, capturing not only passwords but also session cookies, granting attackers prolonged access to compromised accounts.
Microsoft took an unconventional approach to infiltrate the group, secretly purchasing the phishing kits and instructions. This allowed investigators to trace cryptocurrency transactions, ultimately identifying a critical operational security mistake: the accidental exposure of a secret cryptocurrency wallet. This slip-up led directly to the identification of the group’s leader, Joshua Ogundipe, a Nigeria-based individual with a background in computer programming.
Ogundipe and his associates used Telegram to market the service through a private channel. Microsoft’s analysis indicates that he authored most of the code himself. Two other members provided administrative and technical support, while two additional defendants, cybercriminals who purchased the kit, registered new phishing domains and integrated them into the group’s infrastructure.
In August, Microsoft filed a lawsuit against Ogundipe and four unnamed associates, all of whom remain at large. The RaccoonO365 platform operated on a tiered pricing model, with subscriptions ranging from $355 for 30 days to $999 for 90 days. Payments were accepted exclusively in cryptocurrencies, including USDT and Bitcoin. To date, the group has earned at least $100,000 from their illegal activities.
The service continued to evolve, most recently advertising a new feature called RaccoonO365 AI-MailCheck, designed to scale operations and improve attack success rates. A criminal referral for Ogundipe has been submitted to international law enforcement agencies. Masada noted that while the lawsuit marks a significant step, Microsoft expects threat actors to attempt to rebuild, and the Digital Crimes Unit will continue taking legal action to dismantle any reemerging infrastructure.
(Source: HelpNet Security)
