In September 2025, Microsoft’s Digital Crimes Unit (DCU) and Cloudflare dismantled the RaccoonO365 phishing-as-a-service network, which had been active since September 2024 and was responsible for stealing more than 5,000 Microsoft 365 credentials from victims in 94 countries.
What happened
Acting under a court order from the Southern District of New York, the DCU coordinated the seizure of 338 domains linked to the group between September 2 and September 8, 2025, with Cloudflare banning domains, terminating Workers scripts, placing warning pages, and suspending user accounts. The threat group, tracked by Microsoft as Storm-2246, operated on a subscription basis, charging $355 for 30 days or $999 for 90 days, and used its platform to mimic trusted brands such as Microsoft, DocuSign, Adobe, SharePoint, and Maersk to harvest login credentials.
Campaigns delivered through RaccoonO365 targeted more than 2,300 U.S. organizations, including at least 20 healthcare entities, and even deployed malware like Latrodectus and GuLoader. Microsoft attributed the operation to Joshua Ogundipe, a Nigerian national who, along with four associates, advertised the tool through a Telegram channel of 850 members, collecting over $100,000 in cryptocurrency payments.
Cloudflare described the takedown as a proactive, large-scale disruption meant to increase costs for cybercriminals and deter future abuse of its infrastructure.
The bigger picture
Microsoft 365 is the most frequently breached email security provider in the healthcare sector. It accounted for 43.3% of all email-related healthcare breaches in 2024, which translates to 78 organisations. This figure rose sharply to 52% of incidents in the first half of 2025.
Nearly half of healthcare email breaches originate from Microsoft 365 alone. Many healthcare organisations using Microsoft 365 fail to configure its security tools properly. For instance, 37.2% of breached Microsoft 365 users had DMARC in "monitor-only" mode, which allows phishing attacks to go undetected.
What was said
In a Microsoft post by Steven Masada, Assistant General Counsel of Microsoft’s Digital Crimes Unit notes, “RaccoonO365, tracked by Microsoft as Storm-2246, offers subscription-based phishing kits. These let anyone—even those with little technical skill—steal Microsoft credentials by mimicking official Microsoft communications. To deceive users, RaccoonO365’s kits use Microsoft branding to make fraudulent emails, attachments, and websites appear legitimate, enticing recipients to open, click, and enter their information.
Since July 2024, RaccoonO365’s kits have been used to steal at least 5,000 Microsoft credentials from 94 countries. While not all stolen information results in compromised networks or fraud due to the variety of security features employed to remediate threats, these numbers underscore the scale of the threat and how social engineering remains a go –to tactic for cybercriminals.”
What’s next
While Microsoft and Cloudflare have raised the operational costs of running the network, the group’s quick move to migrate customers and develop AI-driven tools shows that the fight is shifting into a new phase where law enforcement, security providers, and enterprises will need to prepare for more advanced phishing attacks tied to RaccoonO365 in late 2025 and beyond.
See also: HIPAA Compliant Email: The Definitive Guide (2025 Update)
FAQs
What is a phishing attack?
A phishing attack is when cybercriminals trick people into revealing sensitive information, like usernames, passwords, or financial data, by pretending to be a trusted company or person.
How do phishing emails look convincing?
Attackers often mimic well-known brands such as Microsoft, DocuSign, or Adobe, copying their logos, colors, and email styles. Some even use tools like CAPTCHAs or bot detection to make the fake sites look more authentic, as seen with RaccoonO365.
Why are phishing attacks dangerous?
They can steal login credentials that give attackers access to email accounts, business systems, or cloud services. Stolen accounts may then be used for fraud, ransomware, or even to launch further attacks on other organizations.
Kirsten Peremore
