Microsoft and Cloudflare Disrupt RaccoonO365 Phishing Service

Key Takeaways:

  • Microsoft and Cloudflare worked together to dismantle RaccoonO365, a phishing-as-a-service platform targeting Microsoft 365 users.
  • The operation resulted in the seizure of more than 300 domains and Cloudflare Worker accounts.
  • RaccoonO365 sold phishing kits via Telegram, making advanced credential theft tools accessible to less-skilled attackers.
  • At least 5,000 credentials were stolen across 94 countries, including attacks targeting U.S. healthcare organizations.
  • Microsoft identified a suspected ringleader in Nigeria, highlighting the role of international cybercrime networks.

The battle between cybersecurity defenders and cybercriminals escalated once again this month, as Microsoft and Cloudflare announced the successful disruption of a massive phishing-as-a-service (PhaaS) operation known as RaccoonO365. According to reporting from Bleeping Computer, the joint takedown crippled a criminal enterprise that had been actively selling phishing kits designed to harvest Microsoft 365 credentials on an industrial scale.

RaccoonO365 had been active since mid-2024, run by a threat actor Microsoft tracks under the name Storm-2246. By offering subscription access to its phishing platform, RaccoonO365 significantly lowered the barrier to entry for cybercriminals who lacked the technical skills to develop their own tools. For a fee, subscribers gained access to sophisticated kits capable of bypassing CAPTCHAs, evading automated defenses, and fooling victims into entering sensitive login information.

The disruption, announced in early September 2025, involved seizing 338 domains and Cloudflare Worker accounts linked to the operation. Microsoft’s Digital Crimes Unit (DCU) and Cloudflare’s CloudForce One team coordinated closely, using intelligence on infrastructure patterns, phishing kit distribution, and wallet addresses to target the criminal enterprise. The scale of the takedown underscores the size of the threat: Microsoft has confirmed that at least 5,000 sets of stolen credentials across 94 countries were tied to the service.

How the Service Operated

RaccoonO365 was marketed in underground forums and through a private Telegram channel, where access to the platform was offered to paying customers. The pricing model mirrored legitimate software-as-a-service businesses, with subscription tiers costing around $355 for 30 days or $999 for 90 days. Payments were accepted in cryptocurrency, including bitcoin and stablecoins on blockchain networks like TRC20, BEP20, and Polygon.

The kits themselves were engineered to appear legitimate. Victims were directed to phishing pages that mirrored Microsoft 365 login portals. Once a target entered their username and password, the service captured credentials, authentication cookies, and related artifacts. This information allowed attackers to access email, SharePoint, and OneDrive accounts, potentially unlocking access to sensitive company data.

Microsoft’s investigation revealed that the phishing lures were diverse and often tailored to specific industries or events. In one campaign, tax-themed emails were used to trick U.S.-based users. In another, healthcare organizations were targeted, raising concerns about the exposure of medical records and sensitive patient information.

Attribution and Criminal Network

Perhaps the most significant revelation came from Microsoft’s DCU, which identified a man named Joshua Ogundipe in Nigeria as a central figure behind RaccoonO365. According to Microsoft, Ogundipe is believed to have developed large portions of the phishing kit code. Investigators also discovered that Russian-speaking cybercriminals were involved in aspects of the operation, as parts of the Telegram bot infrastructure used Russian commands. This highlights how phishing services often span multiple countries and languages, complicating law enforcement response.

Attribution was made possible when the operators exposed one of their cryptocurrency wallets, a misstep that provided investigators with a direct line of evidence. Microsoft noted that while the operation has been disrupted, international law enforcement continues to pursue leads against the individuals responsible.

Scale of Impact

The true scale of RaccoonO365’s impact may never be fully known. Microsoft has confirmed that more than 5,000 sets of credentials were stolen and estimates the group has generated at least $100,000 in cryptocurrency payments. However, given the number of subscribers, the true financial and data theft footprint could be much larger. Each stolen Microsoft 365 login provides attackers with potential access not only to emails but also to files, internal chats, and cloud-hosted applications—assets that could be exploited for fraud, ransomware, or data resale on criminal markets.

Cloudflare emphasized that the use of its Workers platform was particularly troubling, as it provided attackers with an easy way to deploy phishing infrastructure at scale. By shutting down the malicious Workers accounts, the company hopes to make it harder for copycat operations to replicate RaccoonO365’s approach.

Industry and Policy Implications

The disruption underscores both the risks and the effectiveness of public-private collaboration in cybersecurity. By combining Microsoft’s visibility into email and authentication systems with Cloudflare’s network-level intelligence, the two companies were able to dismantle an operation that might otherwise have persisted for years.

Still, experts caution that the takedown is unlikely to end phishing-as-a-service altogether. Cybercriminals have repeatedly shown an ability to adapt, shifting infrastructure to new platforms and rebranding under different names. What makes RaccoonO365 notable is how professionalized the model has become. By using subscription pricing, offering customer support via Telegram, and bundling advanced evasion features, the group demonstrated how PhaaS operators are increasingly adopting legitimate business practices to expand their reach.

For organizations, the incident is a reminder of the continued importance of layered defenses. Multi-factor authentication (MFA), conditional access policies, and behavioral monitoring remain among the most effective protections against credential theft. Enterprises also need to train employees to recognize phishing attempts, particularly those that mimic legitimate Microsoft 365 logins and use added features such as CAPTCHA prompts to appear more authentic.

A Continuing Battle

Microsoft’s announcement stressed that the disruption is part of an ongoing campaign against phishing services. “This action is a reminder that we will continue to take steps to protect our customers from cybercriminals,” the company said in a statement. Cloudflare echoed that sentiment, emphasizing the importance of trust in digital services and the need for infrastructure providers to work together in protecting users.

The takedown of RaccoonO365 marks a significant win for defenders, but it also illustrates the industrialization of phishing. With relatively low costs, easy-to-use kits, and guaranteed infrastructure, even novice cybercriminals can launch campaigns capable of breaching enterprise defenses. While the dismantling of this platform will undoubtedly reduce the volume of Microsoft 365 phishing attempts in the near term, the broader challenge of combating phishing-as-a-service is far from over.

If you liked this post, you’ll love one of the the leading global business communications and technology events since 1999, the ITEXPO #TECHSUPERSHOW, Feb 10-12, 2026 Fort Lauderdale, Florida.

Don’t forget the collocated MSP Expo – just for managed service providers!

Aside from his role as CEO of TMC and chairman of ITEXPO #TECHSUPERSHOW Feb 10-12, 2026, Rich Tehrani is CEO of RT Advisors and a Registered Representative (investment banker) with and offering securities through Four Points Capital Partners LLC (Four Points) (Member FINRA/SIPC). He handles capital/debt raises as well as M&A. RT Advisors is not owned by Four Points.

The above is not an endorsement or recommendation to buy/sell any security or sector mentioned. No companies mentioned above are current or past clients of RT Advisors.

The views and opinions expressed above are those of the participants. While believed to be reliable, the information has not been independently verified for accuracy. Any broad, general statements made herein are provided for context only and should not be construed as exhaustive or universally applicable.

Portions of this article may have been developed with the assistance of artificial intelligence, which may have contributed to ideation, content generation, factual review, or editing


 

Loading
Share via
Copy link
Powered by Social Snap