In a significant cybersecurity operation, Microsoft, in collaboration with Cloudflare and U.S. law enforcement, has dismantled the RaccoonO365 phishing-as-a-service network. This service, operated by Nigerian national Joshua Ogundipe, enabled cybercriminals to conduct large-scale phishing campaigns targeting Microsoft 365 users worldwide. The takedown involved the seizure of 338 domains, disrupting the infrastructure of a service that had stolen over 5,000 credentials across 94 countries since its inception in July 2024.
Phishing-as-a-Service Model
RaccoonO365 operated as a subscription-based service, offering phishing kits that allowed even individuals with limited technical expertise to launch sophisticated attacks. Subscribers could create convincing fake Microsoft login pages, complete with branding and anti-bot measures, to deceive users into entering their credentials. This approach significantly lowered the barrier to entry for cybercriminals, facilitating widespread credential theft.
Global Impact and Financial Gains
Since its launch, RaccoonO365 has facilitated the theft of at least 5,000 Microsoft credentials from users in 94 countries. The operation generated over $100,000 in cryptocurrency payments, primarily from U.S.-based subscribers. Notably, the service was linked to a tax-themed phishing campaign in February 2025, which targeted more than 2,300 U.S. organizations, including healthcare entities.
Collaborative Takedown Effort
The takedown was executed through a court order from the Southern District of New York, allowing Microsoft to seize the domains associated with RaccoonO365. Cloudflare, which had been used by the operators to conceal their infrastructure, assisted in the operation by disrupting the service's backend and preventing the establishment of new accounts. The U.S. Secret Service also played a crucial role in the enforcement of the takedown.
Lessons and Future Outlook
The disruption of RaccoonO365 underscores the evolving nature of cyber threats and the need for continuous vigilance. While this operation has significantly impacted the service, experts caution that cybercriminals may adapt and develop new methods to exploit users. Organizations are advised to implement robust security measures, including multi-factor authentication and user education, to mitigate the risk of falling victim to similar attacks.
Comments