- Microsoft and Cloudflare seized 338 domains linked to the phishing group RaccoonO365.
- The group stole over 5,000 Microsoft 365 credentials from victims in 94 countries since July 2024.
- RaccoonO365 operated as a phishing-as-a-service toolkit sold on a subscription model to cybercriminals.
- The service targeted major companies, used advanced evasion methods, and advertised upgrades after the takedown.
- Authorities identified a Nigerian individual as the suspected leader, and law enforcement referrals have followed.
Microsoft and Cloudflare disrupted the activities of the cybercriminal group RaccoonO365 by taking control of 338 websites the group used for phishing schemes. The action began as a coordinated global operation under a court order from the Southern District of New York in early September 2025.
According to Microsoft’s Digital Crimes Unit, RaccoonO365 used its phishing service to steal more than 5,000 Microsoft 365 usernames and passwords from individuals in 94 countries since July 2024. The group offered its phishing toolkit to buyers on a subscription basis, charging $355 for 30 days or $999 for 90 days.
“Using a court order granted by the Southern District of New York, the DCU seized 338 websites associated with the popular service, disrupting the operation’s technical infrastructure and cutting off criminals’ access to victims,” said Steven Masada, assistant general counsel at DCU. Cloudflare banned the identified domains, added warning pages, disabled associated scripts, and suspended user accounts between September 2 and September 8, 2025. The company said this strategy was aimed at “a proactive, large-scale disruption aimed at dismantling the actor’s operational infrastructure on our platform.”
Microsoft tracked the group as Storm-2246. RaccoonO365 allowed even inexperienced users to carry out large-scale phishing and credential theft by mimicking trusted companies such as Microsoft, DocuSign, SharePoint, and Adobe in fake emails. These emails led victims to lookalike sites designed to steal their login information. The service included features to circumvent multi-factor authentication and offered tools like Cloudflare Turnstile CAPTCHAs to block automated analysis and open access only for intended victims.
The group also promoted new features, such as an AI-powered service named RaccoonO365 AI-MailCheck, to increase the reach and success of its attacks. The operators said they hosted the tools on “bulletproof” servers to avoid shutdowns and advertised primarily on a Telegram channel with about 850 members.
Authorities have identified Joshua Ogundipe, a Nigerian national, as the suspected leader of the RaccoonO365 operation, based on a security mistake that made a cryptocurrency wallet visible. Microsoft believes the group sold between 100 and 200 subscriptions and collected at least $100,000 in cryptocurrency. A criminal referral has been sent to international law enforcement.
Since the takedown, the threat actors have told their clients to stop using old links, offering a free subscription extension after switching to the new plan. Cloudflare emphasized that disrupting the group would make continued phishing activities more expensive and difficult to conduct.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Fed Rate Cut Seen as Imminent; BTC and ETH Hoarded Amid Volatility
- Chiliz Acquires 51% Stake in OG Esports, Plans Web3 Expansion
- Trump Lawsuit Against NYT Drops Company’s Stock by 1.5%
- Ethereum Foundation Launches AI Team to Bridge Blockchain and AI
- Analysts Predict Bullish Surge as XRP Targets $3.43 by December 2025
