Microsoft and Cloudflare have successfully dismantled a phishing network that compromised thousands of Microsoft 365 credentials. The operation, known as RaccoonO365, was tracked by Microsoft as Storm-2246 and has been linked to a significant criminal enterprise that generated an estimated revenue of at least $100,000.
Details of the Dismantling Operation
The joint effort involved Microsoft’s Digital Crimes Unit and Cloudflare, which collaborated to disrupt a service that provided cybercriminals with subscription kits. These kits mimicked legitimate Microsoft login pages and employed CAPTCHA screens to deceive users. From July 2024, the RaccoonO365 kits are believed to have facilitated the theft of more than 5,000 sets of credentials from victims across 94 countries.
Identified as the leader of the group, Joshua Ogundipe operates from Nigeria, and the service was marketed on Telegram, where it accumulated hundreds of subscribers. Microsoft obtained a court order from the Southern District of New York, allowing the seizure of 338 websites associated with this phishing scheme.
The Impact of Phishing-as-a-Service
Microsoft’s Digital Crimes Unit highlighted the accessibility of cybercrime tools like RaccoonO365, stating, “This case shows that cybercriminals don’t need to be sophisticated to cause widespread harm.” The service used straightforward tactics to lure victims, allowing attackers to bypass multi-factor authentication and steal session cookies once credentials were entered.
Cloudflare’s Cloudforce One and Trust and Safety teams played a crucial role in this operation. They implemented measures to disable Worker accounts and placed warning pages in front of malicious domains to restrict access. These phishing kits operated on a tiered pricing model, with subscriptions to the RaccoonO365 Suite priced at $355 for 30 days or $999 for 90 days, with payments accepted only in cryptocurrency.
Cloudflare emphasized that this action is part of a broader strategy to counter phishing-as-a-service platforms, noting, “Our response represents a strategic shift from reactive, single-domain takedowns to a proactive, large-scale disruption.” The goal is to increase operational costs for these criminal enterprises and to send a clear message that the risks associated with such activities far outweigh any potential rewards.
Both companies are committed to continuing their efforts against phishing services that threaten millions of users worldwide. As cyber threats evolve, the collaboration between major tech firms like Microsoft and Cloudflare becomes increasingly vital in safeguarding digital environments.
