Microsoft has disrupted RaccoonO365, a subscription-based phishing service hosted out of Nigeria, seizing 338 websites used to steal Microsoft 365 login credentials in over 90 countries.
RaccoonO365 (also tracked as Storm-2246) sold phishing kits that mimic official Microsoft branding (emails, attachments, fake login pages) to trick users into entering their usernames and passwords. The service was marketed through Telegram to more than 850 members, lowering the barrier for criminals to launch credential-theft operations.
Microsoft
The platform operated on a tiered subscription model designed to attract a wide range of threat actors, from short-term testers to operators running ongoing campaigns. Pricing options included a 30-day plan for around $355 and a 90-day plan for $999, with all payments accepted exclusively in cryptocurrency such as Bitcoin and USDT variants (TRC20, BEP20, Polygon).
Cloudflare joined Microsoft’s Digital Crimes Unit (DCU) in dismantling the infrastructure behind RaccoonO365. The takedown cut off domains, suspended malicious scripts, and removed worker accounts that kept the phishing service online.
The broader threat is two-fold: the ease of access (few technical skills required) and the scale. The phishing kit allowed users to target up to 9,000 email addresses per day, and many of the stolen credentials were used in campaigns aimed at tax, healthcare, and public sector organizations.
Microsoft has taken legal action against Joshua Ogundipe, whom investigators identified as the operation’s leader, and is coordinating with international law enforcement agencies on the case. DCU and partners warn that services like RaccoonO365 signal a shift in cybercrime toward scalable, easy-to-use tools that can hit millions with relatively little effort.
Leave a Reply