- Microsoft and Cloudflare disrupt phishing service stealing Microsoft 365 credentials
- RaccoonO365 kits used CAPTCHA screens and fake Microsoft logins
- Revenue from the criminal operation estimated to be at least $100,000
Working together, Microsoft's Digital Crimes Unit and Cloudflare say they have successfully disrupted a phishing service that helped criminals steal thousands of Microsoft 365 usernames and passwords.
Tracked by Microsoft as Storm-2246, RaccoonO365 sold subscription kits that mimicked official Microsoft messages and login pages.
From July 2024, these kits helped criminals steal at least an estimated 5,000 sets of credentials from victims across 94 countries.
Securing court order
Microsoft identified the group’s leader as Joshua Ogundipe, based in Nigeria, and said the service was marketed on Telegram with hundreds of subscribers.
Microsoft’s Digital Crimes Unit said it seized 338 websites used by the group after securing a court order from the Southern District of New York.
“This case shows that cybercriminals don’t need to be sophisticated to cause widespread harm - simple tools like RaccoonO365 make cybercrime accessible to virtually anyone, putting millions of users at risk,” the company warned.
Cloudflare said its Cloudforce One and Trust and Safety teams worked with Microsoft to dismantle the infrastructure that supported the service.
According to Cloudflare, the phishing kits used a simple CAPTCHA screen and anti-bot measures to appear legitimate, before redirecting victims to fake Microsoft login pages.
Once credentials were entered, attackers could also bypass multi-factor authentication and steal session cookies.
The company disabled Worker accounts and placed warning pages in front of malicious domains to cut off access.
The phishing service operated on a tiered pricing model, with subscriptions to the "RaccoonO365 Suite" priced at $355 for 30 days or $999 for 90 days, with payments only accepted in cryptocurrency.
Microsoft said the operation had already generated at least $100,000 in revenue, although the true number is likely higher.
Both companies described the action as part of a broader effort to disrupt phishing-as-a-service platforms.
"Our response represents a strategic shift from reactive, single-domain takedowns to a proactive, large-scale disruption,” Cloudflare said, adding, “we aim to significantly increase RaccoonO365’s operational costs and send a clear message to other malicious actors: the free tier is too expensive for criminal enterprises.”
You might also like
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.