RaccoonO365 Phishing Network Stopped By Microsoft & Cloudflare Disrupting 338 Domains
“Microsoft & Cloudflare have stopped the RaccoonO365 Phishing Network by disrupting 338 Domains.”
In order to coordinate the seizure of 338 domains used by RaccoonO365, a financially motivated threat group that has been responsible for a phishing-as-a-service (Phaas) toolkit that has been used to steal over 5,000 Microsoft 365 credentials from 94 countries since July 2024, Microsoft’s Digital Crimes Unit said it partnered with Cloudflare.
Steven Masada, Assistant General Counsel, DCU
| “The DCU disrupted the operation’s technical infrastructure and cut off criminals’ access to victims by seizing 338 websites linked to the well-known service through a court order given by the Southern District of New York.”
“This example demonstrates that sophisticated cybercriminals are not necessary to inflict extensive harm. Cybercrime is accessible to almost anyone thanks to simple programs like RaccoonO365, endangering millions of users.” |
On September 2, 2025, the first stage of the Cloudflare takedown began, and on September 3 and 4, more steps were taken. This involved suspending the user accounts, stopping the related Workers scripts, blocking all identified domains, and displaying “phish warning” pages in front of them. The work was finished on September 8.
RaccoonO365, which is provided to other cybercriminals under a subscription model and is tracked by the Windows manufacturer under the name Storm-2246, enables them to launch phishing and credential harvesting assaults at scale with little to no technical skill. The cost of a 30-day subscription is $355, while a 90-day plan costs $999.
Additionally, according to the owners, the program is “built for serious players only – no low-budget freeloaders” and is housed on unbreakable virtual private servers that don’t have any hidden backdoors, unlike, for instance, BulletProofLink.
Morado
| Since September 2024, RaccoonO365 campaigns have been running. Usually, these attacks use phony emails that imitate well-known companies like Microsoft, DocuSign, SharePoint, Adobe, and Maersk to fool recipients into clicking on lookalike pages intended to steal their Microsoft 365 login credentials. Phishing emails frequently serve as a prelude to ransomware and viruses. |
The use of legitimate tools like Cloudflare Turnstile as a CAPTCHA and the implementation of bot and automation detection using a Cloudflare Workers script to protect their phishing pages, ensuring that only the intended targets of the attack can access and interact with them, are the most concerning aspects from the perspective of a defender.
The Redmond-based corporation issued a warning earlier this April about several phishing attempts that use tax-related themes to spread malware, including Latrodectus, AHKBot, GuLoader, and BruteRatel C4 (BRc4).
It further stated that RaccoonO365 was used to distribute the phishing pages, and that one such campaign was linked to Storm-0249, an initial access broker. At least 20 US healthcare institutions are among the more than 2,300 organizations that have been the target of the phishing attempts.
Microsoft
| “Customers can use RaccoonO365’s services to enter up to 9,000 target email addresses every day and use advanced methods to get beyond multi-factor authentication safeguards to steal user credentials and obtain ongoing access to victims’ systems.”
“The gang most recently began promoting RaccoonO365 AI-MailCheck, a new AI-powered service that is intended to scale operations and improve the complexity and efficacy of attacks.” |
Joshua Ogundipe, a Nigerian, is thought to be the brains of RaccoonO365. He and his colleagues have promoted the tool on a Telegram channel with 850 members and have received at least $100,000 in cryptocurrency payments.
The e-crime gang is reported to have sold roughly 100-200 subscriptions, although Microsoft stressed it’s likely an underestimate. The tech company claimed that an operational security breach that unintentionally revealed a secret cryptocurrency wallet allowed it to make the attribution.
Microsoft stated that Ogundipe has been referred to international law enforcement for criminal charges, but Ogundipe and four other co-conspirators are still at large. In its own investigation of the PhaaS service, Cloudflare claimed that the removal of hundreds of domains and Worker accounts was done to raise operating expenses and serve as a message to potential malevolent individuals who would misuse its infrastructure for nefarious ends.
The threat actors have declared that they are “scrapping all legacy RaccoonO365 links,” and they are advising their clients who have already paid for a one-month subscription to switch to a new plan in light of the interruption.
Additionally, the company promised to provide “one extra week of subscription” after the upgrade as compensation to anyone impacted.
Cloudflare
| To dismantle the actor’s operational infrastructure on our platform, the “reaction signals a strategy shift from reactive, single-domain takedowns to a proactive, large-scale disruption.” |
About The Author
Suraj Koli is a content specialist in technical writing about cybersecurity & information security. He has written many amazing articles related to cybersecurity concepts, with the latest trends in cyber awareness and ethical hacking. Find out more about “Him.”
Read More:
India Exposes a Fraud Network Targeting American Citizens; Hawala Connections Emerge
About Author
English