Microsoft and Cloudflare have successfully disrupted RaccoonO365, a large-scale Phishing-as-a-Service (PhaaS) operation that enabled cybercriminals to steal thousands of Microsoft 365 credentials worldwide.
In early September 2025, Microsoft’s Digital Crimes Unit (DCU), working alongside Cloudflare’s Cloudforce One and Trust and Safety teams, seized 338 websites and Worker accounts tied to the operation. The group, tracked by Microsoft as Storm-2246, has been active since at least July 2024 and is believed to have stolen over 5,000 Microsoft credentials across 94 countries.
RaccoonO365 used advanced phishing kits that bundled CAPTCHA challenges and anti-bot techniques to appear more convincing and evade detection. In April 2025, one large-scale campaign targeted over 2,300 U.S. organizations with tax-themed phishing lures, while more than 20 healthcare providers were also hit. Stolen data—including credentials, cookies, and files from OneDrive, SharePoint, and Outlook accounts—was later used for fraud, extortion, and ransomware attacks.
“This puts public safety at risk, as RaccoonO365 phishing emails are often a precursor to malware and ransomware, which have severe consequences for hospitals,” said Steven Masada, Assistant General Counsel for Microsoft’s Digital Crimes Unit.
Investigators found that RaccoonO365 was run as a subscription service via a private Telegram channel with over 840 members. Prices ranged from $355 for 30 days to $999 for 90 days, with payments made in cryptocurrency, including Bitcoin (BTC) and USDT on multiple chains. Microsoft estimates the operators earned at least $100,000, though the real number may be higher.
The DCU identified the group’s leader as Joshua Ogundipe, a Nigerian national with a background in computer programming. According to Microsoft, Ogundipe wrote much of the RaccoonO365 code and collaborated with Russian-speaking cybercriminals, as suggested by the group’s Telegram bot. An operational security lapse that exposed a cryptocurrency wallet helped investigators trace the operation. A criminal referral for Ogundipe has been sent to international law enforcement.
This takedown follows Microsoft’s earlier May 2025 disruption of Lumma MaaS (Malware-as-a-Service), where the company seized 2,300 malicious domains linked to information-stealing campaigns.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
