Microsoft’s Digital Crimes Unit said it teamed up with Cloudflare to coordinate the seizure of 338 domains used by RaccoonO365, a financially motivated threat group that was behind a phishing-as-a-service (Phaas) toolkit used to steal more than 5,000 Microsoft 365 credentials from 94 countries since July 2024.
“Using a court order granted by the Southern District of New York, the DCU seized 338 websites associated with the popular service, disrupting the operation’s technical infrastructure and cutting off criminals’ access to victims,” Steven Masada, assistant general counsel at DCU, said.
“This case shows that cybercriminals don’t need to be sophisticated to cause widespread harm – simple tools like RaccoonO365 make cybercrime accessible to virtually anyone, putting millions of users at risk.”
The initial phase of the Cloudflare takedown commenced on September 2, 2025, with additional actions occurring on September 3 and September 4. This included banning all identified domains, placing interstitial “phish warning” pages in front of them, terminating the associated Workers scripts, and suspending the user accounts. The efforts were completed on September 8.
Tracked by the Windows maker under the name Storm-2246, RaccoonO365 is marketed to other cybercriminals under a subscription model, allowing them to mount phishing and credential harvesting attacks at scale with little to no technical expertise. A 30-day plan costs $355, and a 90-day plan is priced at $999.
The operators also claim that the tool is hosted on bulletproof virtual private servers with no hidden backdoors (unlike, say, BulletProofLink), and that it’s “built for serious players only – no low-budget freeloaders.”
According to Morado, campaigns using RaccoonO365 have been active since September 2024. These attacks typically mimic trusted brands like Microsoft, DocuSign, SharePoint, Adobe, and Maersk in fraudulent emails, tricking them into clicking on lookalike pages that are designed to capture victims’ Microsoft 365 usernames and passwords. The phishing emails are often a precursor to malware and ransomware.
The most troubling aspect, from a defender’s standpoint, is the use of legitimate tools like Cloudflare Turnstile as a CAPTCHA, as well as implementing bot and automation detection using a Cloudflare Workers script to protect their phishing pages, thereby making sure that only intended targets of the attack can access and interact with them.
Earlier this April, the Redmond-based company warned of several phishing campaigns leveraging tax-related themes to deploy malware such as Latrodectus, AHKBot, GuLoader, and BruteRatel C4 (BRc4). The phishing pages, it added, were delivered via RaccoonO365, with one such campaign attributed to an initial access broker called Storm-0249.
The phishing campaigns have targeted over 2,300 organizations in the United States, including at least 20 U.S. healthcare entities.
“Using RaccoonO365’s services, customers can input up to 9,000 target email addresses per day and employ sophisticated techniques to circumvent multi-factor authentication protections to steal user credentials and gain persistent access to victims’ systems,” Microsoft said.
“Most recently, the group started advertising a new AI-powered service, RaccoonO365 AI-MailCheck, designed to scale operations and increase the sophistication – and effectiveness – of attacks.”
The mastermind behind RaccoonO365 is assessed to be Joshua Ogundipe, an individual based in Nigeria, who, along with his associates, has advertised the tool on an 850-member strong Telegram channel, receiving no less than $100,000 in cryptocurrency payments. The e-crime group is believed to have sold about 100-200 subscriptions, although Microsoft cautioned it’s likely an underestimate.
The tech giant said it was able to make the attribution courtesy of an operational security lapse that inadvertently exposed a secret cryptocurrency wallet. Ogundipe and four other co-conspirators currently remain at large, but Microsoft noted that a criminal referral for Ogundipe has been sent to international law enforcement.
Cloudflare, in its own analysis of the PhaaS service, said the takedown of hundreds of domains and Worker accounts is aimed at increasing operational costs and sending a warning to other malicious actors who may abuse its infrastructure for malicious purposes.
Since the disruption, the threat actors have announced that they are “scrapping all legacy RaccoonO365 links,” urging their customers who paid for a 1-month subscription to switch to a new plan. The group also said it will compensate those affected by offering “one extra week of subscription” following the upgrade.
The “response represents a strategic shift from reactive, single-domain takedowns to a proactive, large-scale disruption aimed at dismantling the actor’s operational infrastructure on our platform,” Cloudflare said.
