RaccoonO365: Inside the Global Phishing-as-a-Service Empire Disrupted by Microsoft and Cloudflare

RaccoonO365: Inside the Global Phishing-as-a-Service Empire Disrupted by Microsoft and Cloudflare

Alex Cipher's Profile Pictire Alex Cipher 5 min read

RaccoonO365 didn’t just sell phishing kits—it built a global criminal marketplace, targeting Microsoft 365 users with a level of polish that would make even seasoned IT pros pause. The operation’s phishing kits, crafted by Nigerian developer Joshua Ogundipe, featured convincing CAPTCHA pages and anti-bot defenses, making them nearly indistinguishable from legitimate Microsoft login portals (BleepingComputer).

What set RaccoonO365 apart was its business model: a subscription service, marketed through a private Telegram channel with over 840 members as of August 2025. For a few hundred dollars in cryptocurrency, cybercriminals could access these advanced phishing tools, which were then unleashed on organizations across 94 countries. The impact was staggering—at least 5,000 Microsoft credentials stolen, with attacks peaking during high-stakes periods like tax season. The operation’s takedown, orchestrated by Microsoft and Cloudflare, involved seizing hundreds of malicious websites and sending a clear message to cybercriminals everywhere: collaboration works (BleepingComputer).

The Anatomy of RaccoonO365: How a Phishing Empire Was Built

Development of RaccoonO365 Phishing Kits

RaccoonO365 emerged as a sophisticated Phishing-as-a-Service (PhaaS) operation, primarily targeting Microsoft 365 credentials. The phishing kits developed by this group were notably advanced, incorporating CAPTCHA pages and anti-bot techniques to enhance their legitimacy and evade detection (BleepingComputer). These kits were designed to mimic genuine Microsoft login pages, making it difficult for users to distinguish between authentic and fraudulent sites.

The development of these kits was spearheaded by Joshua Ogundipe, a Nigerian national with a background in computer programming. Ogundipe’s expertise in coding played a crucial role in the creation of these sophisticated phishing tools. His operational security lapse, which involved revealing a secret cryptocurrency wallet, provided Microsoft’s Digital Crimes Unit (DCU) with critical insights into the operation’s structure and scale.

Subscription-Based Model and Financial Gains

RaccoonO365 operated on a subscription-based model, offering its phishing kits through a private Telegram channel. This channel had over 840 members as of August 2025, indicating a substantial customer base. The subscription plans ranged from $355 for a 30-day plan to $999 for a 90-day subscription, all payable in cryptocurrency such as USDT (TRC20, BEP20, Polygon) or Bitcoin (BTC) (BleepingComputer).

Microsoft estimated that the group received at least $100,000 in cryptocurrency payments, suggesting there were approximately 100 to 200 subscriptions. However, the actual number of subscriptions sold is likely much higher, given the widespread deployment of the phishing kits across multiple countries and sectors.

Global Reach and Impact

Since July 2024, the RaccoonO365 operation has stolen at least 5,000 Microsoft credentials from 94 countries (BleepingComputer). The phishing campaigns were not limited to a single sector; they targeted various industries, including healthcare, finance, and government organizations. A notable large-scale tax-themed phishing campaign in April 2025 targeted over 2,300 organizations in the United States alone.

The stolen credentials, cookies, and other data from victims’ OneDrive, SharePoint, and email accounts were later used in financial fraud attempts, extortion attacks, or as initial access to other victims’ systems. This widespread impact underscores the global reach and effectiveness of the RaccoonO365 operation.

Techniques for Evasion and Legitimacy

RaccoonO365 employed several techniques to enhance the legitimacy of their phishing kits and evade detection. The inclusion of CAPTCHA pages was a significant factor, as it added a layer of perceived security and authenticity to the phishing sites. Additionally, the use of anti-bot techniques helped the operation avoid automated analysis and detection by cybersecurity tools (BleepingComputer).

These techniques were complemented by the strategic deployment of phishing campaigns during tax season and other high-stakes periods, increasing the likelihood of success. By targeting specific times when users are more likely to interact with emails and websites related to taxes or other financial matters, RaccoonO365 maximized its chances of capturing valuable credentials.

The disruption of RaccoonO365 was a coordinated effort between Microsoft and Cloudflare, involving the seizure of 338 websites and Worker accounts linked to the operation. This action was part of a broader strategy by Microsoft’s Digital Crimes Unit to combat cybercrime and protect users from phishing attacks (BleepingComputer).

A criminal referral for Joshua Ogundipe has been sent to international law enforcement, highlighting the seriousness of the operation and the efforts to hold those responsible accountable. This disruption is part of a larger trend of targeting cybercrime operations, as evidenced by Microsoft’s previous actions against the Lumma malware-as-a-service (MaaS) information stealer.

The dismantling of RaccoonO365 serves as a reminder of the ongoing battle between cybercriminals and cybersecurity professionals. It underscores the importance of collaboration between organizations like Microsoft and Cloudflare in combating sophisticated phishing operations and protecting users worldwide.

Final Thoughts

The RaccoonO365 saga is a stark reminder that cybercrime is evolving as quickly as the technology designed to stop it. By blending technical sophistication with a subscription-based business model, RaccoonO365 lowered the barrier to entry for would-be attackers and amplified its global reach. The operation’s disruption—thanks to coordinated efforts by Microsoft, Cloudflare, and law enforcement—demonstrates the power of collaboration in the fight against phishing and cyber fraud (BleepingComputer).

As phishing kits become more advanced and accessible, organizations must stay vigilant, leveraging emerging technologies like AI-driven threat detection and fostering cross-industry partnerships. The battle isn’t over, but the takedown of RaccoonO365 proves that with the right tools and teamwork, defenders can still win key victories.

References

Related Articles