Major cybersecurity actions by Microsoft and Cloudflare have successfully dismantled a significant phishing campaign.
In a significant move to protect internet users worldwide, Microsoft's Digital Crimes Unit (DCU) and Cloudflare have collaborated to take down RaccoonO365, a notorious phishing group that had been putting internet users at serious risk since June 2024.
RaccoonO365, designated by Microsoft as 'Storm-2246', a group under development, rapidly rose to prominence and was directly linked to the theft of at least 5,000 Microsoft 365 credentials across 94 countries. The group's phishing as a service (PhaaS) offering was used in thousands of attacks worldwide.
Microsoft Threat Intelligence warned of phishing attacks disguised as enterprise and tax documents, launched against 2,300 US organizations via RaccoonO365 in April. By August 2025, RaccoonO365's tool was capable of real-time data exfiltration and the group had begun to advertise an AI-powered tool 'RaccoonO365 AI-MailCheck'.
Microsoft's DCU identified the group's leader as Joshua Ogundipe, based out of Nigeria. Ogundipe, who is believed to have written the majority of the tool's code, which includes protections against connections from 17 major security vendors, is believed to have made at least $100,000 selling his services on Telegram, with 'RaccoonO365 Suite' subscriptions. RaccoonO365 is believed to have 100-200 active subscribers paying in cryptocurrency.
Since December 2024, RaccoonO365 had been deploying Cloudflare Worker clusters to obscure its attack infrastructure. Cloudflare had been mitigating individual RaccoonO365 domains based on complaints but partnered with Microsoft to take broader legal action against the group. As a result, Cloudflare has banned all Workers scripts linked to RaccoonO365, suspended associated user accounts, and placed phishing warnings on banned domains.
The Telegram group associated with RaccoonO365 advertised its services to manage all tech updates and offer a clean codebase without backdoors or tracking. However, the stolen Microsoft 365 credentials from RaccoonO365 attacks are especially effective against victims who reuse passwords across accounts.
Microsoft stated that RaccoonO365's operators will likely attempt to rebuild infrastructure, and it will continue to take legal action to prevent attackers from resuming their operations. The full takedown began on 2 September, with Cloudflare acting in coordination with Microsoft's seizure of 338 websites associated with the group.
Despite the takedown, it's important for internet users to remain vigilant. Attackers cut off from PhaaS tools could still turn to the dark web to purchase email addresses for AI-powered phishing campaigns of their own. Users are advised to use unique passwords for each account and enable two-factor authentication where possible to protect themselves from such threats.
Read also:
- Money equivalent to RM5 could potentially reveal your location?
- Investment of $20 million in strategy by the Aqua 1 Foundation of the UAE in Above Food
- VMware exposes a fresh authentication loophole in its system
- Future of Transportation: 2023 Projections and Forecasts on Autonomous Vehicles and Advanced Mobility Technologies
