Microsoft Takes Down 300+ Websites Behind RaccoonO365 Phishing Scheme

Microsoft’s Digital Crimes Unit (DCU) has seized control of 338 websites facilitating RaccoonO365, the rapidly expanding phishing-as-a-service platform that enables anyone to harvest Microsoft 365 credentials.

Acting under a court order from the Southern District of New York, the DCU disrupted the operation’s technical infrastructure, denying cybercriminals access to victims and cutting off their revenue streams.

This action underscores how readily available, subscription-based phishing kits have lowered the barrier to entry for cybercrime, placing millions of users worldwide at heightened risk.

Tracked by Microsoft as Storm-2246, RaccoonO365 offers tiered subscriptions allowing users—regardless of technical expertise—to launch large-scale phishing attacks.

Since July 2024, its clients have stolen at least 5,000 Microsoft credentials across 94 countries. Despite many credential thefts being mitigated by built-in security features, the volume of successful attacks highlights the enduring potency of social engineering.

In one extensive tax-themed campaign, attackers impersonated official tax authorities to ensnare targets and infiltrated over 2,300 organizations in the United States.

Alarmingly, at least 20 U.S. healthcare entities fell victim to these campaigns, jeopardizing patient care by delaying services, corrupting lab results, and exposing sensitive health data—outcomes that could translate into significant financial and human costs.

Technical Sophistication

RaccoonO365’s rapid feature rollouts have kept pace with customer demand. The service now accommodates up to 9,000 target addresses per day and includes tools to bypass multi-factor authentication controls, enabling persistent access once credentials are captured.

The platform’s latest offering, AI-MailCheck, leverages generative AI to craft more convincing emails at scale, further amplifying its threat potential.

Customers can choose from multiple subscription levels, each granting access to branded phishing email templates, spoofed login portals, and automated delivery systems.

Underpinning this operation is a streamlined support channel hosted on Telegram, where over 850 members have engaged and paid at least US$100,000 in cryptocurrency—enough to power hundreds of millions of phishing messages annually.

Investigations led DCU analysts to Nigeria-based developer Joshua Ogundipe, who authored most of RaccoonO365’s code and orchestrated domain registrations using fictitious identities.

An operational security slip—exposing a secret cryptocurrency wallet—enabled Microsoft to attribute and trace illicit funds.

With a criminal referral now sent to international law enforcement, Ogundipe and his associates face legal action aimed at dismantling both current and future infrastructure.

Microsoft’s disruption of RaccoonO365 demonstrates the efficacy of combining legal authority with technical countermeasures.

Collaborating with Cloudflare and Health-ISAC, a non-profit focused on healthcare cybersecurity, the DCU secured takedowns and shared intelligence to protect critical sectors.

To bolster investigations, Microsoft is integrating blockchain analysis tools such as Chainalysis Reactor, enhancing its ability to trace criminal proceeds and build evidence against perpetrators.

Strengthening Defenses

As cybercrime evolves, legal actions alone are insufficient. Governments must harmonize laws, expedite cross-border prosecutions, and close regulatory gaps that cybercriminals exploit.

Meanwhile, organizations and individuals must remain vigilant by enforcing strong multi-factor authentication, deploying up-to-date anti-phishing solutions, and educating users about emerging threat tactics.

This operation exemplifies the power of multi-sector cooperation: technology firms, security vendors, non-profits, and law enforcement working in concert can dismantle sophisticated criminal networks.

By sustaining these partnerships and advancing joint initiatives, the global community can build resilience against the next generation of accessible, AI-enhanced cyber threats.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.