Microsoft & Cloudflare Take Down RaccoonO365 - A Notorious Global Phishing Network

In a significant joint operation, Microsoft’s Digital Crimes Unit (DCU) and Cloudflare have successfully dismantled a major cybercriminal infrastructure responsible for widespread phishing attacks across the globe. The collaboration resulted in the seizure of 338 domains linked to RaccoonO365, a phishing-as-a-service (PhaaS) toolkit used by financially motivated threat actors to steal thousands of corporate credentials from organizations in nearly 100 countries.

According to Microsoft, since July 2024, cybercriminals leveraging RaccoonO365 were able to compromise more than 5,000 Microsoft 365 accounts across 94 nations, demonstrating the massive reach and dangerous potential of PhaaS platforms in the modern cybercrime ecosystem.

This collaborative effort marks a significant step in disrupting the growing underground economy built around subscription-based phishing kits.

Operation Overview: Coordinated Takedown Effort

The takedown, carried out in early September 2025, involved Microsoft’s Digital Crimes Unit (DCU) working closely with Cloudflare’s Cloudforce One and Trust & Safety teams. Together, the teams seized 338 malicious websites and multiple Cloudflare Worker accounts that were central to the RaccoonO365 infrastructure.

The seized domains were part of a sprawling network used to host phishing landing pages, distribute fake login portals, and manage stolen data. Microsoft attributed the operation to a cybercrime group tracked internally as Storm-2246, which had been running the service for well over a year.

How the Operation Unfolded

The legal foundation for the takedown came through a court order from the U.S. District Court for the Southern District of New York, enabling authorities to seize the malicious domains.

• Initial Actions: The first phase began on September 2, 2025, with Cloudflare identifying and banning all known domains linked to the RaccoonO365 operation.
• Expanded Measures: Over the next two days, September 3 and 4, the crackdown intensified as Cloudflare deployed interstitial “phish warning” pages on affected domains, terminated Worker scripts used by the attackers to hide their phishing infrastructure, and suspended user accounts associated with the campaign.
• Finalization: By September 8, 2025, the operation had completely dismantled the attacker’s online infrastructure, cutting off cybercriminals from their stolen data and disrupting their revenue stream.

Steven Masada, Assistant General Counsel at Microsoft DCU, highlighted the simplicity of the tools involved:

“This case shows that cybercriminals don’t need to be sophisticated to cause widespread harm. Simple, ready-made platforms like RaccoonO365 lower the barrier to entry, putting millions of users at risk.”

Scale and Scope of the Phishing Operation

According to Microsoft’s findings, RaccoonO365 had been active since at least July 2024 and had facilitated the theft of over 5,000 Microsoft 365 credentials across 94 countries. These credentials provided attackers with unauthorized access to OneDrive, SharePoint, Outlook email accounts, and other Microsoft cloud services.

The operation gained notoriety for its sophistication. The phishing kits bundled:

• CAPTCHA verification pages to appear more legitimate to users.
• Anti-bot and anti-analysis techniques to evade detection by security researchers and automated scanning tools.

One particularly damaging campaign in April 2025 saw RaccoonO365 operators launch a tax-themed phishing campaign targeting 2,300 U.S. organizations, including more than 20 healthcare institutions—a sector where cyberattacks can have life-threatening consequences.

Real-World Impact: More Than Just Credential Theft

The stolen data extended beyond usernames and passwords. Victims also lost session cookies and other authentication tokens, enabling attackers to bypass multi-factor authentication (MFA) in some cases.

Once harvested, the stolen information was monetized in several ways:

• Financial Fraud: Unauthorized wire transfers and invoice fraud schemes.
• Extortion: Threats to leak sensitive business data unless paid in cryptocurrency.
• Initial Access Brokerage: Selling victim network access to ransomware groups on dark web forums.

Microsoft’s Steven Masada, Assistant General Counsel for the DCU, highlighted the risks to critical sectors:

“RaccoonO365 phishing emails are often the first stage in attacks that escalate to malware or ransomware infections. For hospitals and healthcare providers, these intrusions can delay patient care, compromise lab results, and expose sensitive data—putting lives at risk while causing severe financial and reputational damage.”

Subscription-Based Criminal Economy

RaccoonO365 operated under a Phishing-as-a-Service (PhaaS) model, offering ready-made phishing kits on a subscription basis. The service was promoted via a private Telegram channel with over 840 members as of August 25, 2025.

Pricing tiers included:

• $355 for a 30-day subscription.
• $999 for a 90-day subscription.

Payments were accepted exclusively in cryptocurrency such as USDT (TRC20, BEP20, Polygon) or Bitcoin (BTC), ensuring anonymity for both buyers and operators.

Operators claim to host the toolkit on bulletproof virtual private servers and openly market it on cybercrime forums, boasting that it’s “built for serious players” and free of hidden backdoors, setting it apart from rivals like BulletProofLink.

Analysis shows that campaigns have been running since September 2024, using lookalike domains and brand impersonation techniques to lure victims. Emails often mimic trusted companies—such as Microsoft, DocuSign, Adobe, SharePoint, and Maersk—and direct recipients to fraudulent login pages designed to harvest Microsoft 365 credentials.

Microsoft estimates the group earned at least $100,000 from subscriptions, with between 100–200 active customers—though the real number is likely far higher given the global scale of attacks.

Attribution and Threat Actor Identification

During the investigation, Microsoft identified Joshua Ogundipe, a Nigeria-based developer, as the primary figure behind RaccoonO365. According to Microsoft’s analysis:

• Ogundipe has a background in computer programming and likely authored most of the phishing kit code.
• The group appeared to collaborate with Russian-speaking cybercriminals, as suggested by the use of Russian language in their Telegram bot and some infrastructure elements.
• A critical operational mistake—leaking a cryptocurrency wallet address—enabled investigators to link the phishing infrastructure back to Ogundipe and track financial transactions.

International law enforcement agencies have been provided with a criminal referral for Ogundipe as part of ongoing investigations.

While Ogundipe and associates remain at large, Microsoft confirmed that criminal referrals have been sent to international law enforcement agencies, signaling potential arrests in the future.

Industry Reactions and Strategic Implications

Cloudflare emphasized that the takedown was not just about removing malicious domains but also about raising operational costs for cybercriminals and sending a clear deterrent message to others abusing its infrastructure.

“This represents a strategic shift from reactive, single-domain takedowns to proactive, large-scale disruptions,” Cloudflare said, highlighting the goal of long-term deterrence rather than short-term fixes.

In response, RaccoonO365 operators have already announced plans to:

• Scrap all legacy infrastructure,
• Compensate paying customers with an additional week of service, and
• Relaunch under new infrastructure to resume operations.

This cat-and-mouse dynamic illustrates the resilience of cybercriminal enterprises and the continuous battle between threat actors and defenders in the digital space.

Previous Disruptions and Ongoing Efforts

This takedown follows a similar action in May 2025, when Microsoft seized 2,300 domains tied to the Lumma Malware-as-a-Service (MaaS) platform. These back-to-back disruptions underscore the growing collaboration between tech companies and law enforcement agencies to dismantle cybercrime ecosystems.

However, experts warn that PhaaS operations often resurface under new names or with slightly modified infrastructure, making sustained disruption efforts essential.

Looking Ahead: The Fight Against Phishing-as-a-Service

The takedown of RaccoonO365 highlights how cybercrime has evolved into a subscription-driven economy, lowering the barrier of entry for would-be attackers. Even low-skilled threat actors can now launch sophisticated phishing campaigns using pre-packaged kits and anonymized payment systems.

Microsoft warns that RaccoonO365 campaigns have already targeted over 2,300 U.S. organizations, including 20 healthcare entities, raising concerns about potential ransomware attacks and data breaches in critical sectors.

Past campaigns delivered malware families such as Latrodectus, AHKBot, GuLoader, and BruteRatel C4, often serving as initial access vectors for larger criminal operations.

Microsoft and Cloudflare stress the importance of:

• Multi-Factor Authentication (MFA): Reduces risk even if credentials are stolen.
• Threat Intelligence Sharing: Accelerates identification of malicious infrastructure.
• Public-Private Collaboration: Ensures swift takedown of cybercriminal networks.

As cybercrime grows more commercialized, experts believe AI-driven detection systems and global enforcement partnerships will be crucial in keeping pace with adversaries.

Read Cloudflare's Report HERE

Read Microsofts Report HERE