Microsoft and Cloudflare have disrupted a Phishing-as-a-Service operation, known as RaccoonO365.
The primary goal of RaccoonO365 (or Storm-2246 as Microsoft calls it) was to rent out a phishing toolkit that specialized in stealing Microsoft 365 credentials. They were successful in at least 5,000 cases, spanning 94 countries since July 2024.
The operation provided the cybercriminals’ customers with stolen credentials, cookies, and data which they in turn could use to plunder OneDrive, SharePoint, and Outlook accounts for information to use in financial fraud, extortion, or to serve as initial access for larger attacks.
Roughly an attack would look like this:
- Emails were sent to victims with an attachment containing a link or QR code.
- The malicious link led to a page with a simple CAPTCHA. This and other anti-bot techniques were implemented to evade analysis without raising suspicion from the victim.
- After solving the CAPTCHA, the victim was redirected to a fake Microsoft O365 login page designed to harvest the entered credentials.
RaccoonO365 built its operation on top of legitimate infrastructure in an attempt to avoid detection. Leveraging free accounts, they strategically deployed Cloudflare workers to act as an intermediary layer, shielding their backend phishing servers from direct public exposure.
Reacting to this abuse of its services, Cloudflare teamed up with Microsoft’s Digital Crimes Unit (DCU). Using a court order granted by the Southern District of New York, the DCU seized 338 websites associated with RaccoonO365.
The danger of phishing kits like these is clear. Even non-technical criminals can lease a 30-day plan for $355 (to be paid in cryptocurrency) and get their hands on valid Microsoft O365 credentials. With the latest new feature of the phishing kit, users of the kit can even receive codes for certain multi-factor authentication (MFA) methods.
From there they can move forward to data theft, financial fraud, or even use the credentials to infiltrate an organization to deploy ransomware. And to give you an idea, RaccoonO365 customers were able to send emails to 9,000 targets per day. The suspected leaders of the operation had over 850 members on Telegram and have received at least US$100,000 in cryptocurrency payments.
The takedown of the websites and the attribution to a Nigerian suspect cut off the cybercriminals’ revenue streams, and significantly increased RaccoonO365’s operational costs. Besides that, the main suspect is believed to be the main coder behind the project and his apprehension by international law enforcement is likely to be a major blow to the operation.
Now, RaccoonO365 phishing kit customers can start worrying about how much of their information could be revealed in the aftermath of this disruption.
We’ll keep you posted.
Don’t fall for phishing attempts
In the operations run by RaccoonO365 two simple rules could have saved you from lots of trouble.
- Don’t click on links in unsolicited attachments
- Check if the website address in the browser matches the domain you expect to be on (eg. Microsoft.com).
Other important tips to stay safe from phishing in general:
- Verify the sender: Always check if the sender’s email address matches what you would expect it to be. It’s not always conclusive but it can help you spot some attempts.
- Check through an independent channel if the sender actually sent you an attachment or a link.
- Use up-to-date security software, preferably with a web protection component.
- Keep your device and all its software updated.
- Use multi-factor authentication for every account you can.
- Use a password manager. Password managers will not auto-fill a password to a fake site, even if it looks like the real deal to you.
We don’t just report on threats – we help safeguard your entire digital identity
Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.
Source link
