In a joint effort, Microsoft and Cloudflare have successfully taken down 338 domains associated with the RaccoonO365 phishing network. This network, operated by a financially motivated threat group, has been responsible for stealing over 5,000 Microsoft 365 credentials from users in 94 countries since July 2024.
The Digital Crimes Unit at Microsoft, with the assistance of Cloudflare, obtained a court order to seize the websites linked to RaccoonO365. This action disrupted the network’s technical infrastructure and prevented cybercriminals from accessing their victims.
Steven Masada, assistant general counsel at Microsoft’s DCU, emphasized that cybercriminals do not need sophisticated tools to cause significant harm. RaccoonO365’s phishing-as-a-service toolkit has made cybercrime accessible to a wide range of individuals, putting millions of users at risk.
The takedown operation, led by Cloudflare, began on September 2, 2025, and continued over several days. It involved banning the identified domains, displaying warning pages, disabling associated scripts, and suspending user accounts, effectively dismantling the phishing network by September 8.
RaccoonO365, known as Storm-2246 internally at Microsoft, offers a subscription-based model to enable cybercriminals to conduct phishing and credential harvesting attacks at scale. The service is marketed as user-friendly, allowing even non-technical individuals to engage in malicious activities.
Campaigns utilizing RaccoonO365’s services have been ongoing since September 2024, with cybercriminals impersonating reputable brands like Microsoft, DocuSign, and Adobe to lure victims into divulging their credentials. These phishing attempts often serve as a gateway for deploying malware and ransomware.
One concerning aspect of RaccoonO365’s operations is its use of legitimate tools such as Cloudflare Turnstile for CAPTCHA and bot detection, enhancing the network’s ability to target specific victims and evade detection.
Microsoft previously warned about phishing campaigns leveraging RaccoonO365 to distribute malware and steal sensitive information. These campaigns have targeted numerous organizations, including healthcare entities in the United States, emphasizing the widespread impact of such cyber threats.
The mastermind behind RaccoonO365, Joshua Ogundipe, based in Nigeria, has promoted the service on a Telegram channel and received significant cryptocurrency payments. While Ogundipe and his associates remain at large, Microsoft has initiated criminal referrals to international law enforcement agencies.
Cloudflare’s intervention in dismantling the RaccoonO365 network aims to deter malicious actors from abusing its platform for illicit purposes. By disrupting hundreds of domains and worker accounts, Cloudflare intends to raise the operational costs for cybercriminals and send a clear message to others contemplating similar activities.
Following the takedown, RaccoonO365 announced the discontinuation of legacy links and offered compensation to affected customers. This proactive approach signifies a shift towards large-scale disruptions to prevent future misuse of the platform for malicious intent.
📰 Related Articles
- FBI Exposes 42,000 Phishing Domains in LabHost Cybercrime Network
- Xerox Versalink C7025 Printer Vulnerability Exposes Network Security Risks
- Xenoblade Chronicles X Listed on Microsoft PC: Unexpected Crossover Sparks Speculations
- Total Beauty Network Unveils Innovative Products and Marketing Strategies
- TCS Sydney Marathon Partners with Seven Network for Extensive Coverage