Microsoft’s Digital Crimes Unit (DCU) has successfully disrupted RaccoonO365, a rapidly expanding cybercriminal operation that has emerged as the fastest-growing tool for stealing Microsoft 365 credentials.
Through a court order obtained from the Southern District of New York, Microsoft seized 338 websites associated with the phishing-as-a-service platform, effectively dismantling its technical infrastructure and severing criminals’ access to victims.
The operation, tracked by Microsoft as Storm-2246, represents a significant escalation in accessible cybercrime tools. RaccoonO365 operates as a subscription-based phishing kit service, enabling individuals with minimal technical expertise to launch sophisticated credential theft campaigns.
The platform leverages authentic Microsoft branding to create convincing, yet fraudulent, emails, attachments, and websites that closely mimic legitimate Microsoft communications, successfully deceiving users into surrendering their login credentials.
Massive Scale and Healthcare Targeting
Since July 2024, RaccoonO365’s phishing kits have successfully compromised at least 5,000 Microsoft credentials spanning 94 countries.
The platform’s technical capabilities enable subscribers to target up to 9,000 email addresses daily, employing advanced techniques to bypass multi-factor authentication protections. The service has evolved to include sophisticated methods for maintaining persistent access to compromised systems.
Particularly concerning is RaccoonO365’s targeting of critical infrastructure, with at least 20 U.S. healthcare organizations falling victim to these attacks.
Healthcare targeting is especially dangerous as phishing emails often serve as initial attack vectors for ransomware deployment, potentially disrupting patient care, delaying critical treatments, and compromising sensitive medical data.
Criminal Enterprise Leadership and Technical Evolution
Microsoft’s investigation identified Joshua Ogundipe, a Nigeria-based individual, as the criminal enterprise’s leader.
Ogundipe, who possesses a computer programming background and allegedly authored most of the platform’s code, operated alongside associates through specialized organizational roles.
The group marketed their services via Telegram to over 850 members and received approximately $100,000 in cryptocurrency payments, representing an estimated 100-200 subscriptions.
The operation demonstrates rapid technical advancement, with the recent introduction of RaccoonO365 AI-MailCheck, an artificial intelligence-powered service designed to scale attack operations and increase campaign effectiveness.
This evolution underscores the concerning trend toward AI-enhanced cybercrime tools that lower technical barriers for malicious actors.
Microsoft’s disruption involved collaboration with security partners, including Cloudflare, and integration of blockchain analysis tools like Chainalysis Reactor for cryptocurrency transaction tracing.
The company has issued a criminal referral for Ogundipe to international law enforcement while preparing for potential infrastructure rebuilding attempts by the criminal organization.
This case exemplifies the global, accessible nature of modern cybercrime, where simple subscription services enable widespread harm across international boundaries, highlighting the critical need for enhanced cross-border cooperation in cybercrime prosecution.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
 has successfully disrupted RaccoonO365, a rapidly expanding.){kind=link}