Microsoft's Digital Crimes Unit has dismantled RaccoonO365, a subscription-based phishing service that enabled even non-technical criminals to steal Microsoft 365 credentials from victims across 94 countries. The operation seized 338 malicious websites and cut off access for hundreds of cybercriminals who used the platform to launch sophisticated attacks.
The takedown, executed through a Southern District of New York court order, targeted what Microsoft calls "the fastest-growing tool" for credential theft. Since July 2024, RaccoonO365 kits have successfully compromised at least 5,000 Microsoft accounts, demonstrating how simple tools are democratizing cybercrime on an unprecedented scale.
How the Operation Worked
RaccoonO365, tracked as Storm-2246, operated as a "phishing-as-a-service" platform where customers could input up to 9,000 target email addresses daily.
The service provided pre-built kits that perfectly mimicked Microsoft branding, making fraudulent emails and websites virtually indistinguishable from legitimate communications. Most concerning, the platform recently introduced AI-powered capabilities to enhance attack sophistication and bypass multi-factor authentication (MFA) protections.
Microsoft identified Joshua Ogundipe, a Nigerian-based programmer, as the operation's leader. Ogundipe and his team generated over $100,000 in cryptocurrency payments from approximately 100-200 subscriptions, with their Telegram channel attracting more than 850 members. A security lapse revealing their cryptocurrency wallet helped investigators trace the operation.
Healthcare Under Fire
The attack particularly targeted healthcare organizations, with at least 20 U.S. medical facilities compromised. These attacks often serve as entry points for ransomware, potentially disrupting patient care and compromising sensitive medical data.
"This case shows that cybercriminals don't need to be sophisticated to cause widespread harm," Microsoft warned, highlighting how accessible tools are exponentially multiplying cyber threats.
Organizations should immediately enable strong multi-factor authentication, deploy updated anti-phishing tools, and conduct regular user education programs. Microsoft continues monitoring for infrastructure rebuilding attempts while collaborating with international law enforcement for prosecutions.