As of late 2025, Microsoft’s Digital Crimes Unit (DCU) has successfully disrupted RaccoonO365 — a rapidly growing phishing-as-a-service (PhaaS) platform used worldwide to harvest Microsoft 365 credentials at scale. The takedown was executed alongside Cloudflare, under a court order from the U.S. District Court for the Southern District of New York, which enabled the seizure of 338 malicious domains and related infrastructure used by the service. The Official Microsoft Blog
The service — also tracked by Microsoft under the label Storm-2246 — provided ready-made phishing kits that let even low-skill actors craft highly convincing fake Microsoft 365 login pages and send phishing emails to corporate targets. These kits were marketed on private Telegram channels, with subscription plans ranging from about $355 for 30 days up to $999 for 90 days in cryptocurrency. Help Net Security
Microsoft estimates RaccoonO365 was used to steal at least 5,000 Microsoft 365 credentials from victims in approximately 94 countries since mid-2024, affecting organisations across multiple sectors — including healthcare and financial services — and fuelling business email compromise and other fraud schemes. The Hacker News
What Was RaccoonO365?
RaccoonO365 (also tracked by security researchers as Storm-2246 and in some reports as Raccoon0365) was a subscription-based phishing kit and PhaaS platform that lowered the barrier for cybercriminals to conduct highly effective credential-harvesting campaigns:
- Subscription Model: Sold via private channels — especially a Telegram group with hundreds of members — with plans ranging roughly from $355 to $999 paid in cryptocurrency. The Register
- Phishing Kits: The service provided ready-made tools to craft convincing phishing emails, attachments, and fake login portals that mimicked official Microsoft 365 branding and login workflows. Help Net Security
- Adversary-in-the-Middle Capture: When victims entered their credentials, the kits could act as a proxy, capturing both passwords and session cookies, sometimes bypassing multi-factor authentication protections. Help Net Security
- Global Impact: Since mid-2024, these kits were used in campaigns that stole at least ~5,000 Microsoft 365 credentials across 94 countries, affecting corporate, financial, and educational institutions. Source
The model effectively “industrialised” phishing, transforming complex social-engineering attacks into a commoditised service that could be used by threat actors of varying technical skill levels. CSO Online
The takedown of RaccoonO365 involved technical, legal, and investigative steps led by Microsoft alongside industry and law enforcement partners:
1. Tracking and Infiltration
Microsoft’s Digital Crimes Unit actively monitored underground threat activity and tracked RaccoonO365’s growth and impact, also purchasing phishing kits and accessing the service itself to understand its mechanisms and infrastructure. Help Net Security
2. Cryptocurrency and Technical Analysis
A crucial breakthrough occurred when investigators spotted an operational security lapse: attackers inadvertently exposed a secret cryptocurrency wallet used for subscriptions. Tracing blockchain transactions linked these wallets to the service’s operators, helping to map revenue flows and infrastructure operations. Help Net Security
3. Legal Action & Domain Seizure
Based on this intelligence, Microsoft filed lawsuits and obtained a court order from the U.S. Southern District of New York authorising the seizure of phishing domains. Working with Cloudflare, teams executed the takedown, removing 338 associated domains and disabling Worker accounts and scripts used to serve fraudulent content. The Official Microsoft Blog
4. Collaboration with Partners
Cloudflare’s analysis — including patterns of signups and infrastructure usage — helped map out and preemptively disrupt the threat. Social engineering campaigns and automated malicious email pipelines were disrupted as domains were disabled and warning pages deployed where possible. TahawulTech.com
5. Attribution and Enforcement
Digital forensic investigation eventually identified key figures behind the platform, particularly a Nigeria-based programmer widely reported in news sources as Joshua Ogundipe and, in related filings, a developer named Okitipi Samuel (aka Moses Felix). Intelligence from Microsoft shared with law enforcement enabled targeted police operations in Nigeria that led to arrests and seizure of devices linked to the operation. Punch Newspapers
Attribution and criminal enforcement
Microsoft’s investigation attributed the platform to Joshua Ogundipe, a Nigeria-based programmer identified as the principal developer and promoter of the RaccoonO365 phishing kits. An operational security slip that exposed a secret cryptocurrency wallet helped DCU researchers link the service to Ogundipe and understand the group’s operations. Help Net Security
Local law enforcement has since acted on this intelligence. Reports from Nigeria indicate that the Nigeria Police Force National Cybercrime Centre (NPF-NCCC) — in cooperation with Microsoft, the FBI, and the U.S. Secret Service — arrested several suspects connected to the phishing infrastructure in September–October 2025, including Ogundipe and associates, and seized digital evidence tied to the campaign. Vanguard News
