Microsoft and Cloudflare have successfully disrupted the RaccoonO365 phishing operation, which was responsible for stealing thousands of user credentials. This joint effort led to the dismantling of the infrastructure behind the phishing service, which Microsoft tracks under the name Storm 2246.
Microsoft revealed that its Digital Crimes Unit had taken down RaccoonO365 by seizing 338 websites that were being used to harvest Microsoft 365 login information. According to the company’s press release, the Digital Crimes Unit used a court order from the Southern District of New York to shut down the service. This action disrupted the technical systems supporting the operation and blocked the attackers from reaching their victims.
In September 2025, Cloudflare removed hundreds of domains and Worker accounts linked to RaccoonO365. This move was part of a coordinated effort that aligned with Microsoft’s civil lawsuit filed in August to halt the phishing campaign. Cloudflare stated that the takedown was a strategic measure to prevent abuse of its services and was carried out in collaboration with Microsoft’s broader legal actions.
The RaccoonO365 phishing platform was sold as a subscription service, with prices ranging from three hundred fifty-five dollars to nine hundred ninety-nine dollars. Microsoft reported that the platform was used to steal more than five thousand Microsoft 365 credentials across ninety-four countries.
Phishing as a service is a cybercrime model that provides phishing tools, website templates, hosting, and customer support through a subscription. This model allows even inexperienced attackers to launch sophisticated phishing campaigns by automating the process and distributing fake websites and emails, which increases the global threat of phishing.
The service was promoted on Telegram and had between one hundred and two hundred subscribers. It generated over one hundred thousand dollars in cryptocurrency. Each subscription enabled the sending of thousands of phishing emails daily, resulting in hundreds of millions of emails sent annually.
RaccoonO365 was involved in tax-related scams targeting two thousand three hundred organizations in the United States and at least twenty healthcare providers. These attacks posed serious risks including delayed medical care, compromised laboratory results, breaches of patient data, and financial damage. Due to the threat to public safety, Microsoft’s Digital Crimes Unit partnered with Health Information Sharing and Analysis Center to pursue legal action.
Microsoft’s investigation also identified Joshua Ogundipe, a Nigerian national, as the leader of the RaccoonO365 operation. Ogundipe is a skilled programmer who developed most of the platform’s code, managed its sales, and provided customer support. His team used deceptive domain names to avoid detection, but a leaked cryptocurrency wallet eventually revealed their activities.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
