Microsoft Takes Down 338 Websites to Disrupt RaccoonO365 Phishing Empire

Microsoft has struck a major blow against one of the fastest-growing phishing operations targeting its cloud users. In a decisive move, Microsoft’s Digital Crimes Unit (DCU), backed by a court order from the Southern District of New York, seized 338 websites linked to RaccoonO365, a criminal service designed to steal Microsoft 365 credentials at scale. The takedown aims to cripple a platform that made phishing accessible to anyone – even those with minimal technical skills – while putting millions of users worldwide at risk.

According to Microsoft, RaccoonO365, tracked internally as Storm-2246, functioned as a subscription-based phishing kit marketplace. For as little as a few hundred dollars, aspiring cybercriminals could purchase a ready-made service capable of mimicking Microsoft login pages, emails, and documents. These kits were designed to trick victims into handing over usernames and passwords credentials that often unlock sensitive data, business operations, and healthcare systems.

The impact was global and alarming. Since July 2024, the platform has been used to steal at least 5,000 Microsoft credentials across 94 countries. Most disturbingly, it targeted more than 20 U.S. healthcare organizations, threatening patient safety by enabling ransomware and malware attacks that delay medical services, compromise lab results, and put lives at risk. The campaign also ran large-scale tax-themed phishing attacks against over 2,300 organizations in the U.S.

The mastermind behind RaccoonO365 has been identified as Joshua Ogundipe, based in Nigeria, who, along with associates, built, marketed, and sold the service on Telegram. The group offered customer support for fellow cybercriminals, evolving the platform rapidly to meet growing demand. At its peak, RaccoonO365 had more than 850 members on Telegram and collected at least $100,000 in cryptocurrency. The DCU linked Ogundipe to the operation through an operational security lapse revealing a cryptocurrency wallet.

Microsoft also highlighted the service’s disturbing evolution: criminals could input up to 9,000 target emails per day, use tricks to bypass multi-factor authentication, and even leverage a new AI-powered tool – RaccoonO365 AI-MailCheck – to boost phishing efficiency.

This operation underscores a wider trend in cybercrime: low-barrier, high-scale criminal services. It demonstrates how phishing-as-a-service (PhaaS) platforms are fueling a global surge in credential theft. For businesses in the Middle East and Africa (MEA), the threat is especially relevant, given the region’s rapid digital transformation, growing reliance on Microsoft 365, and the attractiveness of financial, healthcare, and government sectors to cybercriminals.

According to CloudFlare, “The group sells subscriptions to its “RaccoonO365 Suite” via a private Telegram channel, which as of August 25th, 2025 had 845 members. The platform operates on a tiered pricing model with offerings structured to appeal to a range of criminals, from short-term testers to those running continuous campaigns. Plans are sold in various durations, such as a 30-day plan for $355 and a 90-day plan for $999. The service exclusively accepts cryptocurrencies, including USDT (TRC20, BEP20, Polygon) and Bitcoin (BTC).”

10 Recommended Actions for Security Teams:

1. Enable Multi-Factor Authentication (MFA): Ensure all Microsoft 365 accounts enforce MFA to add a strong layer of protection.
2. Deploy Advanced Anti-Phishing Tools: Use solutions to detect and block phishing attempts.
3. Educate Users Continuously: Invest in user training and awareness to help staff spot suspicious emails and login prompts.
4. Monitor for Unusual Login Activity: Track and respond to anomalous sign-ins, especially from unusual geographies.
5. Restrict Access by Policy: Implement conditional access policies for high-risk accounts and sensitive data.
6. Patch and Update Regularly: Ensure endpoints and email clients are up to date with the latest security patches.
7. Use Threat Intelligence Feeds: Subscribe to services that provide real-time alerts on phishing campaigns and compromised domains.
8. Audit Third-Party Integrations: Review connected apps and services that could expose credentials.
9. Prepare an Incident Response Plan: Define clear steps for phishing-related breaches to minimize damage.
10. Collaborate Across Borders: Engage with local and international partners to share intelligence and strengthen defenses.

Conclusion:

The takedown of RaccoonO365 is a reminder that cybercrime is not just a matter of technical skill – it’s now a business model accessible to anyone. By dismantling 338 malicious websites and unmasking its operator, Microsoft and its partners have disrupted a fast-growing threat. Yet, as history shows, such operations often resurface. Security teams must remain vigilant, strengthen defenses, and prepare for the next wave of phishing-as-a-service schemes. In a digital era where trust is currency, proactive defense is no longer optional it’s essential.