On September 15, Microsoft made an official announcement regarding the takedown of the RaccoonO365 phishing service. This operation, dubbed a “raid” in tech circles, highlights the ongoing battle against the phishing-as-a-service (PaaS) platforms that target users and businesses alike.
Let’s dive into the details of Microsoft’s raid on RaccoonO365 and what it means for online security.
About Raccoon 365.
The RaccoonO365 (also tracked as Storm-2246) network offered subscription-based phishing kits to 338 websites. The kits it provided made it easy for low-skill cybercriminals to steal Microsoft 365 usernames and passwords.
Mode of Operation
RaccoonO365 kits functioned by sending fake Microsoft-branded emails, attachments, and websites to trick users into entering their login details. This allowed the perpetrators to bypass multi-factor authentication (MFA) by capturing session cookies after tricking victims.
They made use of legitimate internet infrastructure like Cloudflare services plus anti-bot/CAPTCHA protections to evade detection and make their pages look more credible.
Scope of Operation
Microsoft reports that RaccoonO365’s kits have stolen at least 5,000 Microsoft credentials from 94 countries since July 2024.
In the US alone, RaccoonO365 kits targeted 2,300 organizations and at least 20 healthcare organizations, highlighting the significant threat they pose to public safety.
Cybercriminals used the stolen credentials to commit various crimes, including fraud, extortion, and selling access to victims’ network on the dark web to other malicious actors.
A Takedown Powered by Law and Tech
RaccoonO365 was quite different from other phishing platforms due to how it evolved to meet the rising demands of cybercriminals. These upgrades allow its customers to input up to 9,000 target email addresses per day and employ sophisticated techniques to bypass MFA.
Left to its devices, the group stood the chance of scaling its operations to the point of causing a global malware disaster. This swiftly prompted Microsoft into taking legal action by using a court order granted by the Southern District of New York to seize 338 websites linked to the phishing network.
Microsoft’s Digital Crimes Unit (DCU) seized 338 websites linked to the operations of the RaccoonO365 phishing service.
While Microsoft disrupted the sites, Cloudflare took action by halting all Raccoon365 operations on their platform. Soon Microsoft was able to map the actor’s entire infrastructure, ban all identified domains, put “phish warnings” on some sites, terminate worker scripts, and suspend the user accounts to prevent re-registration.
On September 8, 2025, Microsoft and Cloudflare had completely taken down RaccoonO365 operations.
The Master Mind
During the raid, Microsoft’s DCU was able to identify the leader of the platform to be Joshua Ogundipe, an individual based in Nigeria. The group he led sold subscriptions to its “RaccoonO365 Suite” via a private Telegram channel, which as of August 25, 2025, had 845 members.
They provided a tiered pricing model through the channel, structuring offerings to appeal to a range of criminals. Plans sold via the channel included a 30-day plan for $355 and a 90-day plan for $999. The service accepted payments in the form of Bitcoin and USDT.
According to investigations, the channel generated at least $100,000 in cryptocurrency payments made for subscriptions.
Going Forward
Microsoft has vowed to evolve and continue its legal efforts to dismantle any rebuilt infrastructure from RaccoonO365. The incident has also raised calls for international cooperation via cybercrime laws, cross-border enforcement, and shared intelligence.
However, it doesn’t just end with international co-operations and increased efforts in cybersecurity. Users must actively perform their due diligence to protect their digital presence to avoid falling victim to phishing attacks.
If you are a user of Microsoft services, take this incident as a reminder to beef up your security practices. Stay informed and stay secure.
