Microsoft seizes infrastructure behind RaccoonO365 phishing service, disrupts theft of Office 365 credentials

Microsoft’s Digital Crimes Unit (DCU) has disrupted the infrastructure behind RaccoonO365, a subscription-based phishing-as-a-service kit that has been used to harvest Office 365 credentials such as usernames and passwords around the world, the company said. The DCU obtained a court order in the Southern District of New York and moved to seize hundreds of internet domains and related technical resources tied to the operation, cutting off access for customers of the criminal service.

Investigators said the takedown removed a network of 338 websites that were connected to the RaccoonO365 kit and neutralized key parts of its supporting infrastructure, an action Microsoft said was intended to prevent further credential theft and limit the criminal gang’s ability to operate while legal and law-enforcement steps proceed.

RaccoonO365, tracked by Microsoft as “Storm-2246,” was marketed as a ready-made phishing kit that abused Microsoft branding to make fraudulent emails, attachments and spoofed websites appear convincing to recipients. Because the kit was sold as a subscription service, relatively unsophisticated attackers could launch large campaigns with minimal technical skill, researchers warned. Microsoft said the DCU’s investigation found that the service had been used to steal at least 5,000 Microsoft credentials from victims in 94 countries since July 2024, underscoring the global reach of the operation.

Stephen Masada, assistant general counsel for Microsoft’s DCU, said the case demonstrates how low technical complexity does not prevent high-impact criminal activity. “While not all stolen information results in compromised networks or fraud due to the variety of security features employed to remediate threats, these numbers underscore the scale of the threat and how social engineering remains a go-to tactic for cyber criminals,” Masada said, adding that the proliferation and accessibility of services such as RaccoonO365 risk accelerating the pace and scale of online scams.

Microsoft’s filing described a rapid evolution in the kit’s capabilities. Over the past year, the RaccoonO365 service apparently added features that allowed users to target thousands of email addresses per day and included tools intended to bypass multi-factor authentication (MFA) and secure persistent access on compromised machines. Operators also began promoting an associated artificial-intelligence service intended to increase the scale and success rate of phishing campaigns, according to Microsoft’s account of the criminal offering.

In its civil action and accompanying technical disruption, the DCU identified a Nigerian national, named as Joshua Ogundipe, as the leader of the organization behind the kit. Microsoft said investigators were able to attribute leadership following an operational security lapse in which the group revealed a cryptocurrency wallet that helped tie the enterprise together. The DCU alleged the group ran a professionalized criminal business with development, sales and customer support functions and sold subscriptions via Telegram to an estimated customer base; the group’s Telegram membership numbered 845 as of late August, and Microsoft estimated active subscriptions in the low hundreds. A criminal referral for Ogundipe’s arrest has been circulated to international law enforcement, though Microsoft acknowledged prosecution is not guaranteed.

The company also highlighted the public-safety dimensions of the disruption. Microsoft said there was evidence that RaccoonO365 had been used as a precursor in attacks against at least 20 healthcare organizations in the United States, a pattern of abuse that raises the stakes because such credential harvesting can facilitate ransomware and other incidents with dire consequences for patient care. That link to healthcare targets was cited as a primary reason the DCU pursued the takedown and worked with sector partners to minimize further risk.

Cloudflare, which collaborated with Microsoft on the operation, provided additional context on how the kit was monetized: access was reportedly sold in 30-day and 90-day subscription tiers, priced at roughly $355 and $999 respectively, with payments accepted in a range of cryptocurrencies. Microsoft and its partners said the pricing model and the service’s marketing made it possible for many would-be attackers to mount campaigns at scale without building phishing infrastructure themselves.

Despite the disruption, Microsoft cautioned that legal and jurisdictional obstacles remain significant barriers to fully shutting down organized cybercrime. The company called on governments to harmonise cybercrime laws and expedite cross-border cooperation to close gaps that enable criminals to operate with impunity. In the meantime, Microsoft reiterated standard defensive advice for organizations and individuals, including enabling strong multi-factor authentication, deploying up-to-date anti-phishing tools, and continuing user education to guard against social-engineering attacks.

Security experts said the takedown is a meaningful tactical victory that will temporarily disrupt an active criminal capability, but warned that the broader phenomenon of phishing-as-a-service — and the increasing use of automation and AI to scale attacks — means defenders must remain vigilant. The DCU’s action is likely to complicate operations for those who relied on RaccoonO365, yet it also highlights the persistent need for technical, legal and cross-border cooperation to respond to criminal marketplaces that can be rebuilt or replicated elsewhere.