Microsoft Shuts Down RaccoonO365 Phishing Scam

Microsoft and Cloudflare teamed up to take down a notorious phishing service known as “RaccoonO365,” the companies said this week.

In a blog post, Microsoft said its Digital Crimes Unit used a court order granted by the Southern District of New York to seize 338 websites associated with the service. In a blog post, Microsoft described RaccoonO365 as “the fastest-growing tool used by cybercriminals to steal Microsoft 365 usernames and passwords.”

The company, which tracks the gang behind the service as Storm-2246, offers subscription-based phishing kits. Phishing-as-a-service (PhaaS) kits have become an increasingly popular way for lower skill individuals that want to get into cybercrime.

“These let anyone — even those with little technical skill — steal Microsoft credentials by mimicking official Microsoft communications,” Steven Masada, blog post author and assistant general counsel of Microsoft’s Digital Crimes Unit, wrote. “To deceive users, RaccoonO365’s kits use Microsoft branding to make fraudulent emails, attachments, and websites appear legitimate, enticing recipients to open, click, and enter their information.”

RaccoonO365 Breaches Thousands

Masada explained that, since July 2024, RaccoonO365 kits have been used to steal at least 5,000 Microsoft credentials from 94 countries. He called the scope of Storm-2246’s reach a marker of “a troubling new phase of cybercrime where scams and threats are likely to multiply exponentially.”

Related:Self-Replicating ‘Shai-hulud’ Worm Targets NPM Packages

RaccoonO365 was used to target more than 2,300 organizations in the US as part of a tax-themed phishing campaign, and Microsoft said its kits were used to target at least 20 US healthcare organizations. “This puts public safety at risk, as RaccoonO365 phishing emails are often a precursor to malware and ransomware, which have severe consequences for hospitals,” Masada wrote.

A subscription allows a user to input up to 9,000 email addresses to target with automated phishing attacks, while advertising other services such as spam and email security filter bypassing as well as full infrastructure support. Interestingly, the service advertised that in order to steal Microsoft credentials, it leveraged Microsoft services such as Azure.

Screenshots showed an annual subscription fee of $600 as well as discounted options for 30- and 60-day licenses. Admins also started advertising a new AI-powered service titled “RaccoonO365 AI-MailCheck.”

According to a blog post from Cloudflare, which partnered with Microsoft to seize and take down attacker infrastructure, RaccoonO365 employed multiple phishing techniques such as impersonating DocuSign, SharePoint, Adobe, and Maersk in emails. Credential stealing functionality would be hidden in attached links or documents such as PDFs.

Related:‘Lies-in-the-Loop’ Attack Defeats AI Coding Agents

“RaccoonO365 phishing emails were crafted to impersonate trusted brands or organizations within the targeted company, using familiar workplace themes to exploit trust and create urgency. File names were designed to mimic routine communications — such as finance or HR documents, policy agreements, contracts, and invoices,” the blog post read. “In some cases, the emails went further, incorporating the recipient’s name into links or attachments to enhance credibility. This social engineering tactic increases the likelihood that users will click, believing the message is legitimate.”

Taking Down and Unmasking RaccoonO365

Microsoft’s Digital Crime Unit took the opportunity to identify and unmask Joshua Ogundipe, an individual based in Nigeria, as the mastermind behind RaccoonO365. Masada said he and his associates have received at least $100,000 USD in cryptocurrency, reflecting approximately 100 to 200 subscriptions, which Microsoft said was likely an underestimation of actual subscriptions sold.

The blog post painted a picture of an organized, company-like structure.

Related:‘K2 Think’ AI Model Jailbroken Mere Hours After Release

“Ogundipe and his associates each have specialized roles within the cybercriminal organization, and together they develop, and sell the service, while providing customer support to help other cybercriminals steal information from Microsoft users,” the blog post read. “To mask their criminal enterprise and evade detection, they registered Internet domains using fictitious names and physical addresses that are purportedly located in multiple cities and countries.”

And to the organizational piece, Masada noted that “an operational security lapse by the threat actors in which they inadvertently revealed a secret cryptocurrency wallet helped the DCU’s attribution and understanding of their operations.”

Microsoft has sent a criminal referral for Ogundipe to international law enforcement.

In its blog post, Cloudflare said it disrupted RaccoonO365 by teaming up with Microsoft and US law enforcement. The company used sign-up patterns to map attacker infrastructure before executing a three-day “rugpull” against the group earlier this month. Cloudflare “banned all identified domains, placed interstitial ‘phish warning’ pages in front of them, terminated the associated Workers scripts, and suspended the user accounts to prevent re-registration.”

Dark Reading contacted Microsoft for additional comment.