Microsoft’s Digital Crimes Unit has dismantled RaccoonO365, a phishing kit operation run by a Nigerian developer used to steal Microsoft 365 credentials.
Under a court order, Microsoft says it seized 338 websites linked to the service, disrupting its infrastructure and cutting off criminals’ access to victims.
RaccoonO365’s Phishing-as-a-Service
Tracked by Microsoft as Storm-2246, RaccoonO365 offered subscription-based phishing kits that allowed even inexperienced actors to run large-scale credential theft campaigns.
The kits mimicked Microsoft’s branding, replicating company emails and login pages to trick users into entering sensitive information.
Since July 2024, the service has been used to steal at least 5,000 Microsoft credentials from victims across 94 countries. Its kits were also used in tax-themed phishing campaigns targeting more than 2,300 U.S. organizations, with at least 20 healthcare institutions among the victims.
Microsoft warned that such attacks often precede ransomware incidents, causing delays in patient care, compromised lab results, and exposure of sensitive data.
RaccoonO365 grew rapidly, enabling subscribers to target up to 9,000 email addresses daily and offering tools to bypass multi-factor authentication.
Most recently, it introduced an AI-powered service called RaccoonO365 AI-MailCheck, designed to scale operations and make phishing attacks more effective.
The Developer Behind RaccoonO365
Microsoft’s investigation identified the alleged leader of the operation as Joshua Ogundipe, a Nigerian national with a background in computer programming.
Ogundipe and his associates marketed RaccoonO365 on Telegram, amassing over 850 members and collecting at least $100,000 in cryptocurrency payments. Microsoft estimates that this reflects 100–200 subscriptions, though the actual number is likely higher.
Each subscription allowed cybercriminals to send thousands of phishing emails daily, adding up to potentially hundreds of millions of malicious emails per year.
To conceal their activities, the group registered domains using false names and addresses across various countries.
A lapse in operational security, including the exposure of a cryptocurrency wallet, helped investigators link Ogundipe to the service. Microsoft has referred him to international law enforcement for prosecution.
About Author
