Microsoft Digital Crimes Unit (DCU) Seizes 338 ‘RaccoonO365’ Phishing-as-a-Service Websites, Disrupting Global Credential Scam

Microsoft Digital Crimes Unit (DCU) Strikes Major Blow Against Phishing-as-a-Service Network

Microsoft’s Digital Crimes Unit (DCU) has seized 338 websites belonging to the rapidly expanding “RaccoonO365” phishing-as-a-service network. The court-authorized takedown not only disrupts an operation that has stolen over 5,000 Microsoft 365 credentials across 94 countries since July 2024, but also highlights emerging risks from subscription-based phishing tools that have made sophisticated attacks available to virtually anyone.

Phishing Made Easy — and Dangerous

Tracked by Microsoft as Storm-2246, RaccoonO365 has taken the cybercrime underground by storm. Unlike traditional bespoke hacks, RaccoonO365 markets affordable subscription kits — $355 for 30 days or $999 for a 90-day service — that let even tech novices launch phishing campaigns at scale. Criminals using these kits can automate targeted phishing against up to 9,000 email addresses per day, as the service mimics official Microsoft branding to deceive users into surrendering passwords and even bypassing multi-factor authentication (MFA).

The kits are shockingly simple and effective:

1. Clone Microsoft login pages and emails to dupe recipients.

2. Enable attackers to easily harvest session cookies, allowing full account takeovers—even when MFA is enabled.

3. Target all industries, with special focus on high-stakes sectors like healthcare.

Global Victim Toll and Healthcare Risks

RaccoonO365’s impact is vast. According to Microsoft, at least 5,000 credentials have been stolen worldwide, affecting users in 94 countries, with 2,300+ U.S. organizations swept up in tax-themed phishing campaigns.

More alarming, over 20 U.S. hospital and healthcare entities were specifically targeted. Unlike most fraud, these attacks often lead to ransomware or further malware outbreaks, causing delays or interruptions to patient care, exposing sensitive health data, and risking patient safety.

The DCU’s lawsuit against RaccoonO365’s ringleaders, filed in partnership with Health-ISAC—a non-profit for healthcare cybersecurity—highlights growing concern over cyberattacks in public health (read more about Health-ISAC’s threat monitoring at https://health-isac.org/).

Takedown: Seizing RaccoonO365’s Infrastructure

Microsoft’s counterstrike unfolded with critical partnerships and precise tactics:

• Legal authority: The Southern District of New York granted a court order, giving legal power to shut down and seize associated domains.

• Technical allies: Cloudflare, whose network infrastructure was abused by the kit, participated by banning identified domains, showing warnings, terminating malicious scripts, and suspending attacker accounts.

• Cryptocurrency tracing: Working with Chainalysis, investigators tracked payments and financial flows in Bitcoin to attribute the network’s operators

This operation didn’t simply block access; it also sowed distrust among cybercriminal customers and increased operational costs for the threat actors.

The Mastermind Unmasked: Joshua Ogundipe

A key breakthrough came with the identification of RaccoonO365’s creator and chief operator, Joshua Ogundipe, based in Nigeria. Ogundipe and his team marketed the phishing kit to over 850 customers via Telegram channels, reportedly earning at least $100,000 in cryptocurrency—likely an underestimate given the group’s scale.

Microsoft successfully traced the operation after threat actors inadvertently exposed a secret cryptocurrency wallet. Ogundipe’s background in computer programming helped him author most of RaccoonO365’s code, while associates handled sales, support, and technical operations. The suite offered AI-powered enhancements such as “RaccoonO365 AI-MailCheck,” increasing attack automation and sophistication.

Even after the takedown, DCU expects Ogundipe and his associates to attempt to rebuild or relaunch. Criminal referrals have been sent to international law enforcement.

Evolving Threat: Phishing Services, Social Engineering, and AI

RaccoonO365 is emblematic of a worrying new era in cybercrime—one where scalable, subscription-based phishing kits, new AI-powered evasion tools, and “as-a-service” models let even unsophisticated actors perpetrate broad, persistent attacks.

Notably, social engineering remains at the core of RaccoonO365’s success. Its kits’ ability to closely mimic trusted brands lowers the bar for launching effective scams on a massive scale. And with kit upgrades like AI-MailCheck, the effectiveness and reach of these operations will likely continue to multiply.

As Steven Masada of Microsoft’s Digital Crimes Unit explains: “This case shows that cybercriminals don’t need to be sophisticated to cause widespread harm—simple tools like RaccoonO365 make cybercrime accessible to virtually anyone, putting millions of users at risk.”

What’s Next: Ongoing Vigilance and Global Collaboration

Microsoft’s DCU is continuing to monitor remaining and new infrastructure associated with RaccoonO365 and future spin-offs. The operation sets an important legal precedent for tech companies—in partnership with security firms, non-profits, and law enforcement—to take down larger portions of global criminal networks.

Still, legal and regulatory obstacles persist due to the international, fast-moving nature of cybercrime. Patchwork laws and weak international coordination are exploited by actors, emphasizing the need for cross-border cooperation.

Staying Safe: Guidance for Organizations and Users

Microsoft reiterates best defenses:

• Enable strong multi-factor authentication.

• Invest in cutting-edge anti-phishing and threat detection tools.

• Train all users on how to detect and avoid social engineering.

• Learn how modern attacks work: https://www.microsoft.com/en-us/security/blog/2025/05/29/defending-against-evolving-identity-attack-techniques/

• Stay updated on legal and technical steps at https://blogs.microsoft.com/on-the-issues/tag/digital-crimes-unit/

The RaccoonO365 takedown is a significant win in the war against global phishing-as-a-service networks. But with criminal operators like Ogundipe adapting and rebuilding, continued investment in cybersecurity, user education, and legal action will remain vital.