Microsoft and Cloudflare have disrupted a large-scale Phishing-e-Service Operation, known as Raccoono365, which helped the cyber criminals to steal thousands of Microsoft 365 credentials.
Early in September 2025, in coordination Cloudflare’s cloudforce one And the Trust and Safety teams, Microsoft’s Digital Crime Unit (DCU) disrupted the cyber crime operation by seizing 338 websites and activist accounts associated with Raccoono365.
The cybercrime group (also tracked by Microsoft as Storm -2246) behind this service has stolered at least 5,000 microsoft credentials from at least 94 countries since July 2024, using Rico 365 Fishing Kit, which has bundled the captcha page and anti -bottom techniques, which have a legal and analysis.
For example, a large-scale raccoono365 tax-themed fishing campaign targeted more than 2,300 organizations in the United States in April 2025, but these phishing kits have also been deployed in attacks against more than 20 US health organizations.
The credentials, cookies and other data stolen from the victims’ Ondrive, Sharepoint, and email accounts were later employed as financial fraud efforts, forcible recovery attacks or early access to the systems of other victims.
“It risks public safety, because raccoono365 fishing emails are often a precursor for malware and ransomware, which have serious consequences for hospitals,” Steven Masada saidAssistant General Consultant for Microsoft’s Digital Crime Unit.
“In these attacks, patient services are delayed, significant care is postponed or canceled, laboratory results are compromised, and violated sensitive data, causing major financial damage and directly affecting patients.”
Raccoono365 is renting a membership-based fishing kit through a private telegram channel, with more than 840 members by August 25, 2025. Prices were from $ 355 to 30-day plan till $ 999 till $ 999 for 90-day membership, all were paid in USDT (TRC20, BEP20, Pologon) (BTC).
Microsoft estimated that the group received at least $ 100,000 in cryptocurrency payments, suggesting that there are about 100 to 200 memberships; However, the actual number of membership sold is very high.
During his investigation, Microsoft DCU also found that Raccoono365 leader Joshua Ogundip, who lives in Nigeria.
Cloudflare also believes that Raccoono365 also collaborates with Russian-speaking cyber criminal, using Russian in its telegram bot.
“Based on the analysis of Microsoft, there is a background in computer programming of Ogundipe and it is believed to have written most codes,” Masada said.
“An operational safety omission by danger actors in which he inadvertently revealed a secret cryptocurrency wallet, helped DCU’s understanding and understanding of his operations. A criminal referral for Ogandip has been sent for international law enforcement.”
In May, Microsoft also seized 2,300 domains in a coordinated disruption action, which targets Lumma Malware-e-A-Service (MAAS) notice stealing.
The passwords broke in 46% of the atmosphere, almost doubled by 25% last year.
Picus Blue Report 2025 Now get a wider look at more conclusions on prevention, detection and data exfIs.
