Microsoft and Cloudflare announced on Tuesday that they have teamed up to disrupt the RaccoonO365 phishing service, which has been used by cybercriminals to steal thousands of users’ credentials.
RaccoonO365, which has been around for more than a year, has been rented to cybercriminals for between $355 (30-day plan) and $999 (90-day plan) under a phishing-as-a-service (PhaaS) model. Microsoft estimates that the operation earned the criminal enterprise at least $100,000 in cryptocurrency.
The phishing service has been advertised on a Telegram channel with over 850 members, and Microsoft believes RaccoonO365 had at least 100-200 subscribers.
RaccoonO365 enables users to create fake emails, attachments with a link or QR code, and phishing websites designed to trick victims into handing over their Microsoft 365 usernames and passwords. The fake emails and websites look realistic and creating them does not require any advanced skills.
According to Microsoft, at least 5,000 credentials from users across 94 countries have been stolen through RaccoonO365 since July 2024, although the tech giant pointed out that the attackers were likely not able to use all of the compromised credentials to access networks or conduct fraud.
Microsoft and Cloudflare have taken action against RaccoonO365 on several fronts. Microsoft teamed up with healthcare cybersecurity non-profit Health-ISAC to file a lawsuit against RaccoonO365 operators.
The partnership with Health-ISAC is explained by the fact that RaccoonO365 has been used to target at least 20 healthcare organizations in the US, which Microsoft says “puts public safety at risk” due to RaccoonO365 phishing emails often leading to malware and ransomware, which can have a severe impact on hospitals.
In addition to the lawsuit, Microsoft’s Digital Crimes Unit (DCU) has seized over 330 domains associated with the phishing service, which has disrupted the cybercriminals’ technical infrastructure and cut off their access to victims.
Cloudflare was involved in the operation against RaccoonO365 because its own services were abused, including for anti-analysis and evasion.
“Before a request was passed to the actual phishing server, a Cloudflare Workers script inspected the request to determine if it originated from a security researcher, automated scanner, or sandbox. If any red flags were raised, the connection would be dropped or the client would receive an error message, effectively hiding the phishing kit,” the web security firm explained.
Cloudflare’s actions were conducted over a period of several days in early September and the cybercriminals attempted to implement some changes in response.
The company has banned domains used by RaccoonO365 and placed phishing warnings in front of them, removed the Workers scripts used by the hackers, and suspended the user accounts associated with the operation.
In addition to disrupting RaccoonO365 infrastructure, Microsoft announced that it has identified the alleged leader of the operation.
The suspect is Joshua Ogundipe, a programmer from Nigeria. Microsoft believes he wrote most of the code, but the company’s blog post indicates that he had several associates who aided with development, customer support, and sales.
Microsoft has notified international law enforcement about Ogundipe.
Related: RapperBot Botnet Disrupted, American Administrator Indicted
Related: Recently Disrupted DanaBot Leaked Valuable Data for 3 Years
Related: RedLine and Meta Infostealers Disrupted by Law Enforcement
