Microsoft has announced the disruption of RaccoonO365, a popular subscription-based phishing kit focused on the theft of Microsoft365 credentials.
The tech giant’s Digital Crimes Unit (DCU) successfully seized 338 websites associated with RaccoonO365, which Microsoft tracks as Storm-2246.
The operation has severely curtailed the phishing kit’s technical infrastructure, cutting off criminals’ access to victims, according to Microsoft which published details on September 16.
The action was taken after the DCU obtained a court order from the Southern District of New York.
As part of its investigation, the DCU also identified the leader of the RaccoonO365 network, Joshua Ogundipe, who is based in Nigeria.
Microsoft said Ogundipe and his associates marketed and sold their services on Telegram to a customer base currently made up of 850 members.
To evade detection, the operators registered Internet domains using fictitious names and physical addresses that are purportedly located in multiple cities and countries
Ogundipe is believed to have authored the majority of the code used in RaccoonO365’s infrastructure. Microsoft revealed that the operators inadvertently revealed a secret cryptocurrency wallet, which helped the DCU’s attribution and understanding of their operations.
It is estimated that Ogundipe and his associates have received at least $100,000 in cryptocurrency payments from users of the phishing service.
“We estimate that this amount reflects approximately 100-200 subscriptions, which is likely an underestimate of the total subscriptions sold,” Microsoft wrote.
“Importantly, the subscriptions are not single-use, meaning that a single RaccoonO365 subscription allows a criminal to send thousands of phishing emails a day – adding up to potentially hundreds of millions of malicious emails a year sent through this platform,” the firm added.
A criminal referral for Ogundipe has been sent to international law enforcement.
Phishing Kit Responsible for Theft of 5000 Microsoft Credentials
RaccoonO365’s services, which were launched in July 2024, have been used to steal at least 5000 Microsoft credentials from 94 countries.
It has been used to target all industries, including an extensive tax-themed phishing campaign targeting over 2300 organizations in the US.
RaccoonO365 kits have also been used to target at least 20 US healthcare organizations.
This was a key reason Microsoft filed its lawsuit in partnership with Health-ISAC – a global non-profit focused on cybersecurity and threat intelligence in the health sector.
Credentials stolen via these phishing emails are often a precursor to malware and ransomware, Microsoft noted.
RaccoonO365 phishing kits enable attackers to use Microsoft branding to make fraudulent emails, attachments and websites appear legitimate.
These campaigns entice victims to enter their credential information.
The service also includes techniques to evade multi-factor authentication (MFA) protections.
This enables RaccoonO365 users, including those with limited technical skills, to launch sophisticated phishing attacks.
Customers can use the service to target 9000 email addresses per day, according to Microsoft.
Recently, RaccoonO365 operators have started advertising a new AI-powered service, RaccoonO365 AI-MailCheck, designed to scale operations and increase the sophistication of attacks.
“The rapid development, marketing, and accessibility of services like RaccoonO365 indicate that we are entering a troubling new phase of cybercrime where scams and threats are likely to multiply exponentially,” Microsoft wrote.
