Microsoft and Cloudflare Takedown Phishing Service RaccoonO365

Microsoft and Cloudflare have shut down a Phishing-as-a-Service (PhaaS) operation known as RaccoonO365, which had been used to steal thousands of Microsoft 365 credentials worldwide.

How RaccoonO365 Worked

The service enabled its subscribers to build phishing campaigns with emails, malicious attachments, QR code lures, and phishing websites specifically crafted to harvest Microsoft 365 login details. Since July 2024, attackers using the platform have compromised at least 5,000 accounts across 94 countries, according to Microsoft.

RaccoonO365 phishing kits included CAPTCHA pages and anti-bot checks to mimic legitimate websites and avoid detection. In one April 2025 campaign, more than 2,300 U.S. organizations—many tied to tax filings—were targeted. The same kits were also used against over 20 healthcare institutions in the United States.

Takedown Operation

In early September 2025, Microsoft’s Digital Crimes Unit (DCU), working with Cloudflare’s Cloudforce One and Trust and Safety teams, seized 338 websites and Cloudflare Worker accounts tied to the service.

The group behind RaccoonO365 is tracked by Microsoft under the codename Storm-2246. Stolen data—ranging from credentials to cookies, OneDrive files, and mailbox contents—was monetized through financial fraud, extortion, and secondary intrusions.

Business Model

The phishing kits were sold via subscription in a private Telegram channel with more than 840 members as of August 25, 2025. Pricing ranged from $355 per month to $999 for three months, with payments accepted in USDT and Bitcoin. Microsoft estimates the operators made at least $100,000 in cryptocurrency, though the real figure may be higher.

Cloudflare played a crucial role because the attackers misused its services for obfuscation. A Cloudflare Workers script acted as a filter—screening requests to identify security researchers, automated scanners, or sandboxes. If flagged, the connection was blocked or redirected, effectively concealing the phishing kits.

Attribution

According to DCU, the leader of RaccoonO365 is Nigerian programmer Joshua Ogundipe, believed to have written most of the service’s code. Investigators traced him after the group accidentally exposed a cryptocurrency wallet, a key operational mistake. Microsoft says the evidence has been handed over to international law enforcement agencies.