Microsoft Disrupts ‘RaccoonO365’ Phishing Service
Summary
Microsoft’s Digital Crimes Unit, working with Cloudflare and US law enforcement, seized 338 websites tied to a subscription-based phishing-as-a-service (PhaaS) called RaccoonO365. The service — tracked by Microsoft as operated by a group called Storm-2246 — was described as a rapidly growing tool used to steal Microsoft 365 credentials by impersonating trusted services and brands.
Since July 2024 the kits have been used to harvest at least 5,000 Microsoft credentials across 94 countries, and were behind campaigns targeting thousands of organisations in the US, including healthcare providers. Microsoft identified a suspected operator, Joshua Ogundipe in Nigeria, and reported roughly $100,000 received in cryptocurrency from subscriptions. Cloudflare executed a coordinated disruption that banned domains, added phish-warning interstitials, terminated scripts, and suspended accounts to block re-registration.
Key Points
- Microsoft and Cloudflare seized 338 domains tied to RaccoonO365, a subscription phishing service targeting Microsoft 365 users.
- RaccoonO365 kits have stolen at least 5,000 credentials across 94 countries since July 2024 and targeted over 2,300 US organisations in a tax-themed campaign.
- The service offered tiered subscriptions (eg. $600 annual) and could target up to 9,000 email addresses per subscription; it also advertised additional services like spam and filter bypassing.
- Attackers used social engineering and impersonation of brands (Microsoft, DocuSign, SharePoint, Adobe, Maersk) and hid credential theft in links and attachments such as PDFs.
- Microsoft’s DCU attributed the service to an organised group (Storm-2246) and identified an alleged operator in Nigeria; a criminal referral was sent to international law enforcement.
- Cloudflare mapped sign-up patterns and executed a short, focused disruption — banning domains, showing phish warnings and suspending accounts — to prevent immediate re-registration.
Context and relevance
Phishing-as-a-service lowers the barrier to entry for cybercrime, turning credential theft into a commodity. This takedown shows cloud providers and platform owners can substantially disrupt large-scale PhaaS operations when they collaborate with law enforcement. For organisations, the incident underscores persistent risks to cloud identities and how social-engineered emails remain the primary vector for initial access, often preceding malware or ransomware.
Why should I read this?
Short version: big takedown, but the problem’s not gone. If you care about protecting user credentials and keeping your org off the next hit list, this is useful. Read it to learn how these services operate, what Microsoft and Cloudflare did to stop them, and what quick defensive moves make the biggest difference — think MFA, phishing filters, employee training and suspicious-link handling. The article saves you the legwork: it spells out the scale, the tactics, and who got unmasked.