Microsoft & Cloudflare Dismantle Massive Phishing-as-a-Service Platform
Microsoft, in collaboration with Cloudflare, has carried out a sweeping operation against RaccoonO365, a Phishing-as-a-Service (PhaaS) platform widely exploited to steal Microsoft 365 credentials across the globe. Through coordinated action, 338 domains were seized, effectively crippling the attackers’ infrastructure and cutting off access to victims’ data. According to Microsoft’s Digital Crimes Unit (DCU), since July 2024 alone, the operators of RaccoonO365 had compromised more than 5,000 user accounts in 94 countries.
The takedown was executed under a court order authorizing domain and infrastructure seizures. The first wave began on September 2, 2025, and by September 8 the operation was complete: domains were blacklisted, phishing pages replaced with warning notices, Cloudflare Workers scripts disabled, and malicious accounts frozen. Microsoft emphasized that this marked a shift from targeted takedowns to the broad dismantling of an entire criminal ecosystem supporting RaccoonO365’s clientele.
Microsoft has designated the group as Storm-2246. Their platform operated on a subscription model—$355 for 30 days or $999 for 90 days—and was marketed as a tool for “serious players,” promising bulletproof VPS hosting without hidden backdoors. Since September 2024, RaccoonO365 was used to mount phishing campaigns masquerading as emails from well-known corporations including Microsoft, DocuSign, Adobe, SharePoint, and Maersk. Victims were lured to counterfeit login portals where their credentials were stolen. These campaigns often served as the staging ground for malware deployment and ransomware attacks.
A major defensive challenge was the abuse of legitimate Cloudflare features, such as Turnstile CAPTCHA verification and traffic-filtering scripts, which were weaponized to filter out researchers while granting seamless access to targeted victims. In April 2025, Microsoft observed campaigns using RaccoonO365 to distribute tax-themed lures that delivered Latrodectus, AHKBot, GuLoader, and BruteRatel C4, further underscoring its role as a backbone for large-scale cybercrime.
The impact was particularly severe in the United States, where over 2,300 organizations, including around 20 healthcare providers, fell victim. Customers of the service could target up to 9,000 addresses daily and employed techniques to bypass multi-factor authentication, enabling prolonged persistence in compromised systems. More recently, the operators introduced an add-on dubbed AI-MailCheck, boasting of artificial intelligence–driven enhancements to phishing efficiency.
Microsoft has linked the creation and operation of RaccoonO365 to Joshua Ogundipe, a Nigerian national identified after an OpSec mistake exposed a cryptocurrency wallet tied to subscription payments. Criminal proceeds are estimated to exceed $100,000 in digital currency, with between 100 and 200 subscriptions sold. Advertising was conducted through a Telegram channel with more than 850 members. While Ogundipe and his close associates remain at large, Microsoft has forwarded intelligence to international law enforcement agencies.
Cloudflare stressed that dismantling hundreds of domains and accounts was intended not only to raise the operational costs for RaccoonO365 but also to send a clear warning: attempts to weaponize the company’s infrastructure for cybercrime will not go unpunished. Following the takedown, the service’s administrators claimed they had switched to new links and even promised disgruntled customers an extra week of access as “compensation.”
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
