RaccoonO365, the fastest-growing tool used by cybercriminals to steal Microsoft 365 usernames and passwords. RaccoonO365 is a Phishing-as-a...
 |
| RaccoonO365, the fastest-growing tool used by cybercriminals to steal Microsoft 365 usernames and passwords. |
In mid-September 2025, Microsoft’s Digital Crimes Unit, working with Cloudflare and U.S. law enforcement partners, secured court authorization to seize a large set of domains and infrastructure tied to a subscription-style phishing operation known as RaccoonO365. The coordinated action disrupted hundreds of active phishing sites that were used to harvest Microsoft 365 credentials and other sensitive data from victims worldwide.
Microsoft seizes 338 websites to disrupt rapidly growing ‘RaccoonO365’ phishing service.
According to public disclosures from the parties involved, investigators seized 338 domains that formed a core part of the RaccoonO365 infrastructure. The operation had been offered as a commercial, subscription-based phishing toolkit that allowed subscribers to generate convincing Microsoft 365 login pages at scale. Industry reporting ties the service to the theft of more than 5,000 credentials across dozens of countries and to large thematic campaigns that targeted thousands of organizations at a time.
How they coordinated the disruption
The takedown combined legal, technical, and platform-level steps. Microsoft obtained a U.S. District Court order to take control of domain registrations and hosting records linked to the service. Cloudflare assisted by disabling Worker accounts and other platform components that RaccoonO365 relied on to hide its backend and rapidly spin up new pages.
RaccoonO365, the fastest-growing tool used by cybercriminals to steal Microsoft 365 usernames and passwords (“credentials”).
Public reporting highlights the value of platform cooperation: service providers can interrupt infrastructure lifecycles faster than law enforcement alone can achieve. The precise number of seized sites has been reported as 338 in Microsoft's statement and as "nearly 340" in some press coverage; the disruption was achieved through a combination of court orders, platform actions, and law enforcement support.
Who is RaccoonO365?
RaccoonO365 is a threat group specializing in bypassing multi-factor authentication (MFA) to steal Microsoft 365 credentials. They sell phishing tools and services via a private Telegram channel. Investigations and public reporting tie the service to a network that marketed and sold access via Telegram channels and subscription listings. Microsoft’s filings and multiple news outlets name a suspected operator (reported as Joshua Ogundipe, based in Nigeria) and note a Telegram community that helped distribute the service. The operation collected subscription payments in cryptocurrency.
RaccoonO365 provided ready-made phishing templates that mimicked Microsoft login flows, tooling to capture credentials and session cookies, and techniques intended to evade detection and even some MFA protections. Customers could spin up convincing credential-harvesting pages at scale, enabling broad campaigns that targeted organizations across many sectors. Microsoft and industry tracking attribute at least ~5,000 stolen Microsoft 365 credentials spanning dozens of countries to the service.
Providers that host or proxy web traffic can quickly render phishing infrastructure unusable if they identify malicious behavior and act on court-authorized orders. Second, attribution and evidence collection remain critical: successful civil actions require thorough logging, chain-of-custody records, and careful legal drafting. Third, public-private collaboration—including industry sharing groups and victims who report incidents—amplifies the reach of any single takedown.
The victims’ perspective
For the thousands of organizations whose employees were targeted, the immediate relief of seeing phishing domains seized is significant, but it does not undo the compromises already made. Credential theft has downstream consequences: once stolen, usernames and passwords can be resold, reused in credential-stuffing attacks, or exploited for lateral movement within corporate networks. Victims often face secondary extortion or business email compromise (BEC) attempts long after the initial phishing campaign has ended.
Phishing-as-a-service (PhaaS) platforms like RaccoonO365 democratize access to advanced attack infrastructure. By lowering the technical barrier to entry, they allow less-skilled cybercriminals to run campaigns that once required custom coding and infrastructure management. Subscription models often include customer support, regular updates to evade detection, and access to fresh domain registrations. This professionalization of cybercrime mirrors the SaaS economy and challenges defenders to innovate at the same speed.
While technology companies can move quickly to disable accounts and infrastructure, law enforcement provides the legal authority to seize domains, collect evidence, and pursue the individuals behind such services. Policy frameworks, both domestic and international, influence the speed and scope of these takedowns. Harmonized cybercrime treaties, information-sharing agreements, and joint task forces all play a role in ensuring that actions in one jurisdiction can have global effect.
Enterprises can reduce the impact of phishing campaigns by adopting phishing-resistant authentication methods such as FIDO2 keys or platform-based MFA. Conditional access policies—blocking risky logins by geography or device type—provide additional safeguards. Continuous monitoring for anomalous logins, proactive credential resets after major takedowns, and robust employee awareness campaigns remain vital pillars of a defense strategy.
The takedown of RaccoonO365 is part of a broader trend of proactive, public-private operations that target the infrastructure of cybercrime rather than just its individual operators. These efforts disrupt the economic viability of PhaaS models, raising costs for attackers and buying time for defenders. However, the adaptability of cybercriminal groups means that similar services will emerge with new branding, distribution models, and hosting techniques.
Ultimately, the lesson from this crackdown is not only that large-scale disruption is possible but also that resilience requires ongoing coordination. As PhaaS evolves, so too must the coalitions of defenders who seek to contain it.
