Microsoft, Cloudflare Shut Down Massive RaccoonO365 Phishing Operation
▼ Summary
– Microsoft and Cloudflare disrupted the PhaaS operation RaccoonO365, seizing 338 websites and accounts linked to it.
– The group, tracked as Storm-2246, stole at least 5,000 Microsoft credentials from 94 countries using phishing kits with CAPTCHA and anti-bot techniques.
– Stolen credentials were used for financial fraud, extortion, and as initial access to systems, impacting healthcare and other sectors.
– RaccoonO365 operated via a private Telegram channel with over 840 members, offering subscriptions priced from $355 to $999 paid in cryptocurrency.
– The leader is identified as Joshua Ogundipe from Nigeria, with evidence of collaboration with Russian-speaking cybercriminals and a criminal referral made.
A major cybersecurity threat has been neutralized following a joint operation between Microsoft and Cloudflare, which successfully dismantled a widespread Phishing-as-a-Service scheme known as RaccoonO365. This criminal enterprise enabled hackers to harvest thousands of Microsoft 365 login credentials through deceptive and highly effective phishing campaigns.
In early September 2025, Microsoft’s Digital Crimes Unit, working alongside Cloudflare’s Cloudforce One and Trust and Safety teams, took decisive action by seizing 338 websites and Worker accounts tied to the RaccoonO365 infrastructure. The group behind the service, identified by Microsoft as Storm-2246, had been active since at least July 2024 and compromised credentials from more than 5,000 users across 94 countries.
The phishing kits deployed by RaccoonO365 were notably sophisticated, incorporating CAPTCHA pages and anti-bot measures to mimic legitimate services and avoid detection. One notable campaign in April 2025 used tax-related lures to target over 2,300 organizations in the United States. The group also aimed attacks at more than 20 U.S. healthcare providers, putting sensitive medical data and patient care at serious risk.
Stolen credentials, cookies, and other data taken from victims’ OneDrive, SharePoint, and email accounts were frequently repurposed for financial fraud, extortion attempts, or to gain initial access into additional corporate networks. Steven Masada, Assistant General Counsel for Microsoft’s Digital Crimes Unit, emphasized the broader implications, noting that such phishing efforts often precede malware and ransomware incidents, particularly dangerous in healthcare settings where delays and data breaches can directly harm patients.
RaccoonO365 operated a private Telegram channel with more than 840 members, offering subscription-based phishing kits priced between $355 for 30 days and $999 for 90 days. Payments were accepted exclusively in cryptocurrency, including USDT and Bitcoin. Microsoft estimates the group collected at least $100,000 through these subscriptions, though the actual number of customers is likely higher.
Investigators identified Joshua Ogundipe, a Nigerian resident with a background in computer programming, as the primary operator behind RaccoonO365. A critical mistake by the threat actors, exposing a secret cryptocurrency wallet, aided law enforcement in attributing the operation and understanding its financial structure. A criminal referral for Ogundipe has been forwarded to international authorities.
Evidence also suggests collaboration with Russian-speaking cybercriminals, based on the use of Russian language in the group’s Telegram bot. This takedown follows another recent action by Microsoft, which in May seized 2,300 domains connected to the Lumma malware-as-a-service operation, underscoring a continued effort to disrupt cybercrime networks globally.
(Source: Bleeping Computer)
