Microsoft and Cloudflare teamed up to dismantle the RaccoonO365 phishing service
September 17, 2025
Microsoft and Cloudflare disrupted the RaccoonO365 phishing service, used to steal thousands of user credentials.
A joint operation conducted by Microsoft and Cloudflare has taken down the infrastructure used by the RaccoonO365 phishing service (tracked by Microsoft as Storm-2246).
Microsoft announced that its Digital Crimes Unit shut down RaccoonO365, seizing 338 sites used to steal Microsoft 365 credentials.
“Microsoft’s Digital Crimes Unit (DCU) has disrupted RaccoonO365, the fastest-growing tool used by cybercriminals to steal Microsoft 365 usernames and passwords (“credentials”).” reads the press release published by Microsoft. “Using a court order granted by the Southern District of New York, the DCU seized 338 websites associated with the popular service, disrupting the operation’s technical infrastructure and cutting off criminals’ access to victims.”
In September 2025, Cloudflare dismantled hundreds of domains and Worker accounts tied to RaccoonO365, cutting its infrastructure. The move aligned with Microsoft’s August civil lawsuit to stop the phishing scheme.
“In early September 2025, in a strategic effort to prevent this phishing abuse on our services, Cloudflare executed a coordinated takedown of hundreds of domains and Worker accounts associated with the actor, effectively dismantling their infrastructure on our network.” reported Cloudflare. “This action was taken in coordination with Microsoft’s broader efforts through a civil lawsuit filed in late August.”
A subscription to the RaccoonO365 phishing-as-a-service was offered for $355–$999, and according to Microsoft, the platform was used to steal at least 5,000 Microsoft 365 credentials in 94 countries.
A phishing-as-a-service (PhaaS) platform is a cybercrime model offering phishing tools, kits, hosting, and support via subscription. It enables even novice attackers to launch convincing phishing campaigns by providing ready-made fake websites and emails, automating the attack process and increasing phishing threats globally.
The service was advertised on Telegram, it had 100–200 subscribers, and earned over $100,000 in crypto. Each subscription enabled thousands of phishing emails daily, totaling hundreds of millions yearly.
RaccoonO365 has been used in tax scams against 2,300 U.S. organizations and at least 20 healthcare providers, risking delayed care, compromised lab results, breached patient data, and financial losses. Due to the threat to public safety, Microsoft’s DCU partnered with Health-ISAC to pursue legal action.
Microsoft’s DCU also identified Nigerian national Joshua Ogundipe as leader of the RaccoonO365 scheme. Ogundipe, a skilled programmer, wrote most of the code, managed sales, and offered support. His group used fake domains to evade detection, but a leaked crypto wallet exposed their operations.
Authorities have referred him to law enforcement.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, phishing)
