Microsoft and Cloudflare this week announced that they paired up to disrupt RaccoonO365, a phishing-as-a-service cybercriminal enterprise that's been rising in popularity amongst cybercriminals over the past year. The operators of the enterprise are known for equipping threat actors with phishing kits used for stealing Microsoft 365 credentials.

The actual disruption itself kicked off on Sept. 2. Microsoft said it had been granted a court order by the Southern District of New York, allowing it to seize 338 websites that were associated with the service. Cloudflare, meanwhile, took down hundreds of domains and Cloudflare Worker accounts that were linked to the actor.

The hope is that these dual actions will cut off cybercriminals’ access to victims and kneecap that operation’s technical infrastructure, Cloudflare said in its threat analysis, which included Indicators of Compromise (IoCs) like cryptocurrency addresses and domains linked to RaccoonO365.

“Cloudflare’s response represents a strategic shift from reactive, single-domain takedowns to a proactive, large-scale disruption aimed at dismantling the actor's operational infrastructure on our platform,” according to Cloudflare on Tuesday. “By taking coordinated action in early September 2025, we aim to significantly increase RaccoonO365’s operational costs and send a clear message to other malicious actors: the free tier is too expensive for criminal enterprises.”

What is RaccoonO365?

RaccoonO365 offers various subscription-based phishing kits to cybercriminals, which could provide them with stolen credentials, cookies, and data from victim accounts (such as OneDrive, SharePoint, and email).

The kits specifically use Microsoft branding for legitimate-looking emails, attachments, and websites, as a way to trick users to unwittingly hand over their credentials. Since July 2024, these kits were used to steal over 5,000 Microsoft credentials across 94 countries, said Microsoft. The kits offer cybercriminals varying functionalities beyond basic phishing attacks, such as the ability to bypass MFA protections, pages with simple CAPTCHAs, and even a new AI-powered service that RaccoonO365 recently started to advertise called AI-MailCheck, which is designed to scale operations.

The enterprise also built its operation off of legitimate infrastructure to bypass detection. One way they did this was through leveraging free accounts for Cloudflare Workers, which is a serverless platform for building and deploying apps across Cloudflare’s network. By abusing Cloudflare Workers, the threat actors were able to use this platform as an intermediary layer and protect their backend phishing servers from exposure, said Cloudflare.

“Before a request was passed to the actual phishing server, a Cloudflare Workers script inspected the request to determine if it originated from a security researcher, automated scanner, or sandbox,” according to Cloudflare. “If any red flags were raised, the connection would be dropped or the client would receive an error message, effectively hiding the phishing kit.”

Microsoft said that it has also identified an individual based in Nigeria named Joshua Ogundipe as the leader of RaccoonO365. The enterprise’s services have been marketed and sold on Telegram, with over 850 members, and have netted at least $100,000 in cryptocurrency payments. The plans were sold in various durations, including a 30-day plan for $355 or a 90-day plan for $999. Microsoft said it has sent a criminal referral for Ogundipe to international law enforcement. 

Future Response Efforts

Both Microsoft and Cloudflare have previously participated or spearheaded disruption efforts against various threats, including Lumma stealer earlier this year. While these disruptions have a net positive impact, the reality is that threat actors will likely regroup and rebuild their operations and infrastructure.

In their disruption announcements this week, both Cloudflare and Microsoft acknowledged this. Cloudflare said that in response to its mitigation efforts, RaccoonO365 operators issued “platform updates” via Telegram explaining that they would shift away from Cloudflare. Meanwhile, Microsoft said that it will “continue to take additional legal steps in the case to dismantle any new or reemerging infrastructure.”

RaccoonO365 represents a well-known and troubling trend – more kits, services, and toolsets are available for less technical cybercriminals, lowering the barrier for them to rapidly launch successful attacks. With RaccoonO365’s phishing kits in particular, cybercriminals were able to send thousands of phishing emails a day.

“This case shows that cybercriminals don’t need to be sophisticated to cause widespread harm—simple tools like RaccoonO365 make cybercrime accessible to virtually anyone, putting millions of users at risk,” said Steven Masada, assistant general counsel, Microsoft’s Digital Crimes Unit, in Microsoft’s release.

  • Recent Posts

  • Recent Comments

    No comments to show.