A joint operation by Microsoft’s Digital Crimes Unit (DCU) and Cloudflare’s Cloudforce One has successfully disrupted a large-scale Phishing-as-a-Service (PhaaS) network known as RaccoonO365, which had enabled cybercriminals to steal thousands of Microsoft 365 credentials worldwide. This takedown highlights how coordinated action between cloud providers can effectively neutralize growing cybercrime ecosystems that monetize phishing kits as subscription services.
The operation, conducted in September 2025, involved the seizure of 338 websites and Cloudflare Worker accounts that were actively supporting the RaccoonO365 infrastructure. According to Microsoft, the criminal enterprise, tracked internally as Storm-2246, had been active since at least mid-2024 and was responsible for harvesting over 5,000 sets of Microsoft 365 credentials across 94 countries. These stolen identities were later leveraged in financial fraud, extortion schemes, and ransomware campaigns.
What made RaccoonO365 particularly dangerous was its professionalized phishing kits, which incorporated CAPTCHA verification, advanced anti-bot evasion, and legitimate-looking templates that mirrored Microsoft login portals. These features significantly increased the success rate of attacks while making detection more challenging for automated defenses. A notable campaign in April 2025 targeted over 2,300 U.S. organizations with tax-themed lures, while another wave struck 20 American healthcare providers, where the stakes were especially high. As Microsoft’s DCU warned, delayed patient services, compromised lab results, and exposed medical records directly threatened both healthcare operations and patient safety.
RaccoonO365 operated as a subscription-based service accessible through a private Telegram channel with over 840 members. Pricing tiers ranged from $355 for a 30-day subscription to $999 for a 90-day plan, payable in cryptocurrencies such as Bitcoin and USDT. Microsoft estimated the operators earned at least $100,000, although the true revenue was likely far greater given the scale of adoption.
Investigations revealed that the operation was led by Joshua Ogundipe, a Nigerian national with a background in computer programming, believed to have authored much of the RaccoonO365 code. Attribution was aided by an operational security lapse, where threat actors exposed a cryptocurrency wallet linked to the service. Furthermore, evidence suggested collaboration with Russian-speaking cybercriminals, as indicated by the Telegram bot’s Russian name. Law enforcement referrals have since been issued, increasing the likelihood of prosecution.
This disruption follows Microsoft’s earlier May 2025 takedown of 2,300 domains tied to the Lumma malware-as-a-service campaign, underscoring its proactive approach in dismantling cybercrime infrastructure before it scales further.
In conclusion, the takedown of RaccoonO365 demonstrates the effectiveness of cross-industry collaboration in combating phishing operations that threaten enterprise and critical infrastructure alike. However, it also reveals the resilience of the cybercrime-as-a-service model, which continues to evolve and expand. To defend against similar threats, organizations must strengthen multi-factor authentication (MFA), implement real-time phishing detection tools, and monitor for suspicious activity across cloud accounts. With phishing remaining the primary entry vector for ransomware and data theft, dismantling networks like RaccoonO365 is vital, but so too is ensuring enterprises remain vigilant.
