Microsoft and Cloudflare have coordinated the takedown of infrastructure used by the RaccoonO365 phishing-as-a-service (PhaaS) operation, Microsoft announced Tuesday. The early September 2025 disruption effort included the seizure of 338 domains by Microsoft’s Digital Crimes Unit (DCU) following a court order from U.S. District Court for the Southern District of New York allowing the seizure.RaccoonO365 sells phishing kits targeting Microsoft 365 credentials on a subscription basis, providing convincing clones of Microsoft log-in pages and facilitating adversary-in-the-middle (AitM) interception of usernames, passwords, multifactor authentication (MFA) codes and session cookies. Cloudflare reported that RacoonO365 also utilized Cloudflare Workers scripts to aid in anti-analysis tactics such as user-agent filtering, header and referrer checks and bot detection.Phishing lures typically came in the form of email attachments such as clickable images or documents with QR codes, with the Cloudflare Workers serving as an intermediary between the phishing link and phishing page itself, blocking access to suspected security researchers, scanners and analysis tools.Microsoft and Cloudflare, in coordination with U.S. law enforcement, performed a “rug pull,” disabling malicious Workers and taking down RacoonO365 phishing domains beginning on Sept. 3 and completing on Sept. 8, 2025, according to Cloudflare.Microsoft DCU also said its investigation revealed the leader of the RaccoonO365 to be a Nigeria-based individual named Joshua Ogundipe, with Microsoft reporting its findings to international law enforcement.Since July 2024, RaccoonO365 is suspected to have stolen at least 5,000 Microsoft credentials in 94 countries and has been used to target more than 2,300 U.S. organizations, including at least 20 healthcare organizations, according to Microsoft.The PhaaS operation, which sells subscriptions ranging from $355 for 30 days to $999 for 90 days, is believed to have raked in at least $100,000 in cryptocurrency from its customers and has about 850 members in its private Telegram group. Microsoft said it will continue to pursue legal action against RaccoonO365 and similar cybercrime operations and is improving its investigations with industry collaborations and the adoption of tools such as Chainalysis’ Reactor to trace cryptocurrency transactions.Cloudflare said it also aims to take a more proactive approach to combat misuse of its infrastructure by cybercriminals.
Identity, Phishing, Threat Intelligence, Decentralized identity and verifiable credentials
Microsoft, Cloudflare coordinate takedown of RaccoonO365 phishing infrastructure
(Adobe Stock)
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds