In early September 2025, Microsoft's Digital Crimes Unit (DCU), in collaboration with Microsoft's Cloudforce One and Trust and Safety teams, Cloudflare, managed to neutralize the operation by seizing 338 websites and accounts associated with the RaccoonO365 network.
A sophisticated Phishing-as-a-Service scheme
The group behind the service, also monitored by Microsoft as Storm-2246, had been active since at least July 2024. Their specialty was creating and renting phishing kits that included CAPTCHA pages and anti-bot techniques. These advanced tools made the fraudulent pages appear legitimate, making them difficult for security systems to detect and analyze.
Criminals who subscribed to the service used these kits to trick victims into stealing their credentials, cookies, and other data from OneDrive, SharePoint, and email accounts, which were then used in financial fraud attempts, extortion attacks, or as a launching point to compromise other systems.
Thousands of victims and a dangerous target: the health sector
Since its inception, RaccoonO365 has been responsible for the theft of at least 5.000 user credentials in 94 countries. One of its most notorious campaigns occurred in April 2025, targeting more than 2.300 tax-related organizations in the United States.
Particularly alarmingly, phishing kits have also been used in attacks against more than 20 healthcare organizations in the US.
"This puts public safety at risk, as RaccoonO365 phishing emails are often a precursor to malware and ransomware, which have serious consequences for hospitals," said Steven Masada, Deputy General Counsel of Microsoft's DCU. "In these attacks, patient services are delayed, critical care is delayed or canceled, lab results are compromised, and sensitive data is breached, causing significant financial losses and directly impacting patients."
A profitable business via Telegram and cryptocurrencies
RaccoonO365 operated its business through a private Telegram channel that, by August 2025, had over 840 members. Phishing kit prices ranged from $355 (about €330) for a 30-day plan to $999 (about €930) for a 90-day subscription. Payments were made in cryptocurrencies such as USDT or Bitcoin.
Microsoft estimates the group received at least $100.000 (approximately €93.000) in payments, which suggests between 100 and 200 active subscriptions, although the actual number is likely much higher.
The investigation that led to a programmer in Nigeria
During the investigation, Microsoft's DCU identified Joshua Ogundipe, a Nigerian resident, as the leader of the RaccoonO365 operation. Ogundipe, with a background in programming, is believed to have authored most of the code. An operational security breach, in which the criminals inadvertently revealed a secret cryptocurrency wallet, was crucial to his identification.
Cloudflare also points to a possible collaboration with Russian-speaking cybercriminals, given the use of the language in the name of the network's Telegram bot. A criminal complaint against Ogundipe has been filed with international authorities.
