Microsoft Takes Down RaccoonO365 Phishing Operation

Microsoft’s Digital Crimes Unit (DCU) has successfully disrupted RaccoonO365, a notorious phishing-as-a-service (PhaaS) platform responsible for stealing thousands of Microsoft 365 credentials worldwide.

The operation, led by a Nigeria-based cybercriminal identified as Joshua Ogundipe, involved seizing 338 malicious domains that hosted fake Microsoft login pages and routed stolen data. The takedown was authorised through a U.S. court order from the Southern District of New York.

How RaccoonO365 Operated

RaccoonO365 offered subscription-based phishing kits, sold primarily on Telegram, allowing even low-skilled attackers to:

• Impersonate Microsoft emails and communications.
• Host fake login portals.
• Harvest usernames and passwords at scale.

Since July 2024, the service has been linked to the theft of at least 5,000 Microsoft credentials across 94 countries. A single subscription allowed criminals to send thousands of phishing emails daily, scaling to hundreds of millions of malicious messages per year.

Role of Joshua Ogundipe

According to Microsoft, Ogundipe and his associates played specialised roles, including:

• Coding and developing the phishing kits.
• Selling subscriptions to cybercriminals.
• Providing customer support for buyers.

Investigators revealed that Ogundipe’s computer programming background made him the primary author of the phishing code. An operational security lapse, where the group accidentally exposed a cryptocurrency wallet, enabled Microsoft to track and attribute the network’s operations.

Microsoft has referred Ogundipe’s case to international law enforcement.

Risks to Healthcare and Public Safety

The DCU stressed that RaccoonO365 went beyond credential theft—it targeted critical sectors. Notably:

• A tax-themed phishing campaign hit more than 2,300 organisations, mainly in the U.S.
• At least 20 U.S. healthcare organisations were directly targeted.

Working with Health-ISAC, a global non-profit specialising in healthcare cybersecurity, Microsoft warned that such attacks could lead to ransomware intrusions, disrupted patient care, and exposed health data.

Rapid Growth and AI-Powered Services

Within just a year, RaccoonO365 evolved rapidly, upgrading its phishing kits to meet high demand. Features included:

• Targeting up to 9,000 email addresses daily.
• Advanced techniques to bypass multi-factor authentication (MFA).
• A new AI-powered tool, RaccoonO365 AI-MailCheck, is designed to scale attacks and increase phishing sophistication.

Microsoft Most Impersonated Brand

Supporting Microsoft’s findings, a recent report by Check Point Research revealed that Microsoft was the most impersonated brand in phishing campaigns between April and June 2025, appearing in 25% of all phishing attempts globally. Networks like RaccoonO365 contributed significantly to this surge.

Conclusion

Microsoft’s disruption of RaccoonO365 highlights the growing threat of phishing-as-a-service networks and their impact on global cybersecurity. By taking down hundreds of malicious domains and exposing key actors, Microsoft aims to reduce phishing attempts and safeguard critical industries worldwide.