Microsoft’s Digital Crimes Unit (DCU) has taken down a cybercrime service called RaccoonO365. The company announced on September 16 that, through a court order granted by the Southern District of New York, it seized 338 websites linked to the RaccoonO365 operation, which was a popular tool for criminals looking to steal user information.
RaccoonO365, which Microsoft tracks as Storm-2246, offered a subscription service that let anyone, even those without technical skills, steal Microsoft 365 usernames and passwords, known as credentials. The service provided phishing kits, which are ready-to-use tools that mimic official Microsoft communications to trick people into giving up their information.
Since July 2024, the service has been used to steal at least 5,000 Microsoft credentials from victims in 94 countries, including a wide tax-themed campaign that targeted over 2,300 organisations in the United States. While not every theft leads to a full system break-in, the large number of attacks shows the size of the problem.
A Threat to Public Health
The effects of RaccoonO365 have reached beyond simple data theft. One of the most worrying uses of the service was a large-scale phishing campaign that targeted at least 20 US healthcare organisations.
Since phishing emails often lead to more serious attacks like ransomware, these incidents put public safety at risk by delaying patient services and exposing sensitive data. This is why the DCU partnered with Health-ISAC, a non-profit focused on cybersecurity for the health sector, to file the lawsuit.
The Man Behind the Crime
During the investigation, the DCU identified the operation’s leader as Joshua Ogundipe, an individual from Nigeria. He and his partners worked together to create, sell, and support the service. They sold their services on the messaging app Telegram, where they had more than 850 members and received at least $100,000 in cryptocurrency payments.
The group also recently began advertising a new AI-powered service, RaccoonO365 AI-MailCheck, designed to make their attacks even more effective. Microsoft believes that Ogundipe wrote most of the computer code for RaccoonO365.
The group was careful to hide their identities, but a mistake revealed a secret cryptocurrency wallet, which helped the DCU connect Ogundipe to the operation. The information about Ogundipe has now been sent to international law enforcement for further action.
Working Together to Fight a Global Problem
The operation shows how cybercrime is now accessible and scalable to virtually anyone. As Microsoft notes, “Cybercriminals don’t need to be sophisticated to cause widespread harm,” however, this action sends “a clear signal that Microsoft and its partners will remain persistent in going after those who target our systems.”
To confront this, Microsoft is using new methods like blockchain analysis tool Chainalysis Reactor that traces cryptocurrency payments and identifies criminals. The company also frequently collaborates with security firms like Cloudflare to quickly take down malicious websites.
Expert Commentary:
Adding to the technical solutions, experts highlight the crucial role of human defences in this fight. Erich Kron, a security awareness advocate at KnowBe4, commented that “email phishing continues to be a major threat that organisations face on a daily basis.” He explained that phishing services make it far easier for criminals who aren’t tech-savvy to get into the “cybercrime game.”
Kron pointed out that credential theft can be especially dangerous because “people tend to reuse passwords across different accounts and services,” meaning an attacker who steals one password might gain access to many more accounts.
To counter this, he said, organisations need a “well-established human risk management (HRM) program in place” to educate users on how to spot fake login pages and understand the dangers of reusing passwords. Ultimately, he advises, “MFA should be deployed wherever possible to make things even tougher for attackers in the event they do steal someone’s credentials.”
