A coordinated legal and technical operation by Microsoft and Cloudflare has successfully disrupted RaccoonO365, one of the fastest-growing Phishing-as-a-Service (PhaaS) platforms used by threat actors to steal Microsoft 365 credentials. The operation, which involved seizing 338 domains and executing a strategic infrastructure takedown, targeted a service that lowered the barrier to entry for sophisticated credential harvesting campaigns, including those bypassing multi-factor authentication (MFA)12. The service’s operator, identified as Joshua Ogundipe of Nigeria, is believed to have generated over $100,000 in revenue from a subscriber base of at least 100-200 cybercriminals1.
**TL;DR: Executive Summary**
* **Threat:** RaccoonO365, a prolific Phishing-as-a-Service operation.
* **Action:** Microsoft obtained a U.S. court order to seize 338 domains; Cloudflare executed a coordinated “rugpull” takedown of the infrastructure hosted on its services.
* **Impact:** The service stole at least 5,000 credentials from victims in 94 countries and targeted over 2,300 U.S. organizations, including at least 20 healthcare providers.
* **Technique:** The phishing kits used CAPTCHA pages and anti-bot scripts to appear legitimate and were capable of stealing session cookies to bypass MFA.
* **Attribution:** Operation led by Joshua Ogundipe, based in Nigeria. A criminal referral has been made to international law enforcement.
* **Outlook:** The threat actors have signaled their intent to rebuild, offering compensation to affected subscribers.
Operation Details and Scale
The disruption was a multi-pronged effort. Microsoft’s Digital Crimes Unit (DCU) secured a court order from the U.S. District Court for the Southern District of New York, enabling the seizure of 338 domains central to the RaccoonO365 infrastructure1. Concurrently, Cloudflare’s Cloudforce One and Trust and Safety teams executed what they termed a “rugpull” takedown2. This involved a coordinated strike in early September 2025 where Cloudflare banned associated domains, placed interstitial warning pages for visitors, terminated malicious Cloudflare Workers scripts, and suspended user accounts to prevent immediate re-registration2. This proactive approach marked a strategic shift from reactive domain takedowns to large-scale, pre-planned disruption of criminal infrastructure.
The scale of the operation was significant. Microsoft estimates the service was used to steal credentials from at least 5,000 victims across 94 countries since July 20241. The service was marketed on a Telegram channel with over 850 members, and blockchain analysis revealed the operators received at least $100,000 in cryptocurrency payments, believed to represent between 100 and 200 subscriptions1. A single subscription allowed a threat actor to send up to 9,000 phishing emails per day, illustrating the massive potential volume of malicious traffic this service could generate1.
Technical Mechanics of the Phishing Kits
The RaccoonO365 service was designed for ease of use, requiring no advanced technical skills from its subscribers. The kits allowed users to create convincing fraudulent emails and login pages that impersonated trusted brands like Microsoft, DocuSign, and Adobe13. A key technical feature was the implementation of a CAPTCHA page and other anti-bot techniques at the beginning of the phishing flow2. This served a dual purpose: it made the phishing page appear more legitimate to a potential victim, and it helped the kit evade automated scanning and detection systems that might categorize a simple login form as malicious.
Most critically, the phishing kits functioned as an adversary-in-the-middle (AiTM). When a victim entered their credentials, the kit would not only steal the username and password but also intercept the session cookies that are exchanged during a successful authentication2. This technique is particularly dangerous because these session cookies can be used by an attacker to hijack the user’s authenticated session, effectively bypassing multi-factor authentication protections even if they are enabled. This provided subscribers with persistent access to compromised accounts and systems.
Attribution and Criminal Operation
Microsoft’s DCU attributed the operation to Joshua Ogundipe, based in Nigeria, who is believed to have authored most of the RaccoonO365 code13. Attribution was aided by an operational security lapse where the threat actor inadvertently disclosed a cryptocurrency wallet address, which was then analyzed using tools from Chainalysis4. Microsoft investigators also engaged directly with the threat actor, without disclosing their identity, to purchase phishing kits and track the financial flows45. Evidence, such as Russian language in a Telegram bot’s name, also suggested potential collaboration with Russian-speaking cybercriminals2.
The operation was run as a professional criminal business. It offered tiered subscription plans, including a 30-day plan for $355 and a 90-day plan for $999, with payments accepted in USDT and Bitcoin2. The group provided customer support and was actively developing new features, including an AI-powered service called “RaccoonO365 AI-MailCheck” intended to further increase the sophistication of attacks1. A criminal referral for Ogundipe has been sent to international law enforcement agencies1.
Relevance and Remediation Steps
The disruption of RaccoonO365 is highly relevant for security teams. It highlights the persistent threat of PhaaS, which commoditizes advanced attacks and makes them accessible to a wider range of threat actors. The specific use of AiTM phishing to bypass MFA is a critical threat vector that requires specific defensive measures.
For remediation and defense, organizations should implement and enforce phishing-resistant MFA methods, such as FIDO2 security keys, which are not vulnerable to session cookie theft. Advanced email security solutions should be configured to detect and block emails that use brand impersonation and contain malicious links. Network monitoring should include analysis for suspicious authentication patterns and connections to newly registered domains, which are often used in phishing campaigns. Furthermore, user awareness training remains essential, focusing on identifying sophisticated phishing attempts that use techniques like CAPTCHAs to appear genuine.
Conclusion and Future Outlook
The takedown of RaccoonO365 is a significant blow to a large-scale criminal operation that targeted organizations globally, with a particularly alarming focus on the healthcare sector. The collaboration between private sector entities like Microsoft and Cloudflare demonstrates an effective model for disrupting cybercriminal infrastructure. However, this is unlikely to be a permanent solution. According to a report from The Hacker News, following the disruption, the threat actors announced they were “scrapping all legacy RaccoonO365 links” and offering affected customers an extra week of subscription as compensation, clearly signaling their intention to regroup and rebuild6.
This event exemplifies the industrialized nature of modern cybercrime. It underscores the need for continuous vigilance, layered security defenses, and international cooperation among law enforcement and the security industry to counter the evolving tactics of threat actors who operate with increasing professionalism.
