Essential Insights
- Microsoft and Cloudflare disrupted the RaccoonO365 phishing operation, seizing 338 websites and linked accounts, which targeted over 2,300 U.S. organizations and more globally, stealing at least 5,000 Microsoft credentials since 2024.
- RaccoonO365 operated via a subscription-based model through a Telegram channel with over 840 members, earning an estimated $100,000 in cryptocurrency from around 100–200 active subscriptions, with prices ranging from $355 to $999.
- The operation was led by Nigerian national Joshua Ogundipe, who authored most of its code, and collaborated with Russian-speaking cybercriminals, with an operational security lapse revealing a key cryptocurrency wallet aiding law enforcement attribution.
- Stolen credentials facilitated financial fraud, extortion, malware, and ransomware attacks, significantly threatening public safety, especially impacting healthcare providers, with the group’s activity posing a severe risk to critical infrastructure and patient care.
What’s the Problem?
In September 2025, Microsoft’s Digital Crimes Unit, in a joint effort with Cloudflare’s security teams, successfully dismantled a large cybercriminal operation known as RaccoonO365, which supplied phishing kits used by cybercriminals worldwide to steal Microsoft 365 credentials. The group behind this service, identified as Storm-2246 and led by Nigerian hacker Joshua Ogundipe, rented out subscription-based kits through a private Telegram channel for hundreds of dollars paid in cryptocurrencies, enabling theft of over 5,000 user credentials across 94 countries since mid-2024. These stolen credentials, particularly from recipients in the U.S. healthcare sector and businesses, facilitated further malicious activities including financial fraud and cyberattacks that compromised patient data and disrupted hospital services. The authorities seized 338 related websites and worker accounts, revealing that Ogundipe, who has a background in programming and is believed to cooperate with Russian-speaking cybercriminals, inadvertently exposed a key cryptocurrency wallet, leading to their attribution and subsequent law enforcement referral.
The disruption was driven by Microsoft and Cloudflare’s shared goal of preventing the use of phishing in larger cyber threats such as malware and ransomware, which pose severe risks to public safety and critical infrastructure. This operation highlights the growing scale and sophistication of cybercriminal enterprises that operate underground markets and use encrypted digital currencies for profits, with Microsoft estimating the group earned over $100,000 from its operations. The case underscores the importance of ongoing cybersecurity vigilance, collaboration between private and public sectors, and the critical need to track and shut down cybercrime networks before they can cause widespread harm.
Critical Concerns
In September 2025, Microsoft and Cloudflare took significant action against the RaccoonO365 Phishing-as-a-Service (PhaaS) network, a cybercrime operation responsible for stealing over 5,000 Microsoft 365 credentials from 94 countries since July 2024. Utilizing sophisticated phishing kits with anti-bot measures, the group targeted organizations—including U.S. healthcare providers—leading to credential theft used for financial fraud, extortion, and system intrusion, which pose severe risks to public safety, especially in healthcare settings where delays, data breaches, and compromised patient care can have life-threatening consequences. RaccoonO365 operated via a clandestine Telegram channel, generating estimated revenues of at least $100,000, with subscriptions costing hundreds of dollars paid in cryptocurrency, revealing a lucrative underground marketplace. Authorities disrupted 338 related websites and identified the group’s leader, Nigerian hacker Joshua Ogundipe, whose operational security lapses facilitated attribution. This takedown underscores the evolving threat landscape, where cybercriminals leverage sophisticated malware, phishing, and cryptocurrency transactions to threaten data integrity, financial stability, and public safety, emphasizing the urgent need for enhanced cybersecurity measures.
Possible Action Plan
Acting swiftly to address the disruption caused by the "Microsoft and Cloudflare disrupt massive RaccoonO365 phishing service" attack is crucial to minimize security breaches, protect sensitive data, and restore user trust. Rapid remediation helps prevent further exploitation of vulnerabilities and reduces potential damages.
Immediate Actions
- Isolate affected systems to prevent further spread.
- Disconnect or disable compromised accounts.
Communication
- Notify stakeholders and affected users promptly.
- Issue security advisories explaining the situation and recommended precautions.
Assessment
- Conduct forensic analysis to identify attack vectors.
- Determine scope and extent of compromise.
Mitigation
- Reset passwords and implement multi-factor authentication.
- Apply security patches and update software.
Enhancement
- Strengthen email security with advanced filtering.
- Implement domain-based message authentication (DMARC, DKIM, SPF).
Monitoring
- Intensify real-time network and account activity monitoring.
- Watch for subsequent suspicious behavior.
Precedent Planning
- Review and update incident response plans.
- Conduct staff training on phishing awareness.
Stay Ahead in Cybersecurity
Stay informed on the latest Threat Intelligence and Cyberattacks.
Understand foundational security frameworks via NIST CSF on Wikipedia.
Disclaimer: The information provided may not always be accurate or up to date. Please do your own research, as the cybersecurity landscape evolves rapidly. Intended for secondary references purposes only.
Cyberattacks-V1
