Microsoft disrupted **RaccoonO365**, a phishing-as-a-service operation led by Joshua Ogundipe, which stole **at least 5,000 Microsoft 365 credentials** across **94 countries** since July 2024. The service, sold via Telegram (850+ members), offered subscriptions ($335–$999) to bypass MFA, harvest credentials, and maintain persistent access—enabling **financial fraud, ransomware, and larger cyberattacks**. The stolen data was resold to criminals, while Ogundipe profited **$100,000+ in crypto**. Targets included **2,300+ US organizations** (tax-themed phishing) and **20+ healthcare providers**, prompting Health-ISAC to join Microsoft’s lawsuit. Though 338 domains were seized and Cloudflare dismantled the infrastructure, Ogundipe (Nigeria-based) remains at large. The operation’s **AI-powered scaling (RaccoonO365 AI-MailCheck)** and capacity to process **9,000 email targets/day** amplified risks of **data breaches, extortion, and supply-chain attacks** leveraging compromised Microsoft accounts.
Source: https://www.theregister.com/2025/09/16/microsoft_cloudflare_shut_down_raccoono365/
TPRM report: https://www.rankiteo.com/company/microsoft
"id": "mic0970009100325",
"linkid": "microsoft",
"type": "Cyber Attack",
"date": "7/2024",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'customers_affected': '5,000+ (credentials stolen from '
'94 countries)',
'industry': 'Software/Cloud Services',
'location': 'Global',
'name': 'Microsoft (targeted credentials)',
'size': 'Large',
'type': 'Technology Corporation'},
{'industry': 'Multiple',
'location': 'United States',
'name': '2,300+ US organizations (tax-themed phishing '
'campaign)',
'type': ['Businesses',
'Government Entities',
'Nonprofits']},
{'industry': 'Healthcare',
'location': 'United States',
'name': '20+ American healthcare organizations',
'type': 'Healthcare Providers'}],
'attack_vector': ['phishing emails',
'phishing kits',
'MFA bypass',
'AI-powered phishing (RaccoonO365 AI-MailCheck)',
'tax-themed phishing campaigns'],
'customer_advisories': ['Users urged to report suspicious emails and enable '
'security defaults in Microsoft 365.'],
'data_breach': {'data_exfiltration': True,
'number_of_records_exposed': '5,000+',
'personally_identifiable_information': ['Email addresses',
'potential PII '
'accessed via '
'compromised '
'accounts'],
'sensitivity_of_data': 'High (credentials enable access to '
'corporate systems, email, and '
'sensitive data)',
'type_of_data_compromised': ['Microsoft 365 credentials '
'(usernames/passwords)',
'persistent system access']},
'date_publicly_disclosed': '2024-09',
'date_resolved': '2024-09',
'description': "Microsoft's Digital Crimes Unit (DCU) seized 338 websites "
'linked to the RaccoonO365 phishing-as-a-service operation, '
'which sold subscriptions to phishing kits used to steal '
'Microsoft 365 credentials. The leader, Joshua Ogundipe, was '
'identified, and a lawsuit was filed against him and four '
'associates. The operation targeted at least 5,000 credentials '
'across 94 countries, generating over $100,000 in '
'cryptocurrency. The phishing kits bypassed MFA and enabled '
'persistent access, with stolen data used for fraud, '
'ransomware, and further attacks. Cloudflare assisted in the '
'takedown of domains and Worker accounts tied to RaccoonO365.',
'impact': {'brand_reputation_impact': ['potential reputational damage to '
'Microsoft 365 trust',
'impact on targeted organizations '
'(e.g., healthcare sector)'],
'data_compromised': ['Microsoft 365 usernames',
'passwords',
'persistent system access'],
'financial_loss': '$100,000+ (cryptocurrency payments from '
'subscriptions)',
'identity_theft_risk': 'High (stolen credentials sold for '
'fraud/identity theft)',
'legal_liabilities': ['lawsuit filed by Microsoft and Health-ISAC',
'criminal referral to international law '
'enforcement'],
'operational_impact': ['unauthorized access to systems',
'potential follow-on attacks (ransomware, '
'extortion, fraud)'],
'systems_affected': ['Microsoft 365 accounts',
"targeted organizations' email systems"]},
'initial_access_broker': {'backdoors_established': True,
'data_sold_on_dark_web': True,
'entry_point': ['Phishing emails',
'RaccoonO365 phishing kits'],
'high_value_targets': ['Microsoft 365 accounts',
'US organizations '
'(tax-themed campaigns)',
'Healthcare sector']},
'investigation_status': 'Ongoing (criminal referral to international law '
'enforcement; Ogundipe remains at large)',
'lessons_learned': ['Phishing-as-a-service operations can scale rapidly with '
'low barriers to entry (subscriptions as low as $335).',
'MFA bypass techniques remain a critical vulnerability in '
'credential-based attacks.',
'Operational security lapses (e.g., exposed '
'cryptocurrency wallets) can aid attribution.',
'Collaboration between tech companies '
'(Microsoft/Cloudflare) and sector-specific ISACs '
'(Health-ISAC) enhances disruption efforts.',
'AI-powered phishing tools (e.g., RaccoonO365 '
'AI-MailCheck) increase attack sophistication and '
'scalability.'],
'motivation': ['financial gain',
'cybercrime facilitation',
'sale of stolen credentials and access'],
'post_incident_analysis': {'corrective_actions': ["Microsoft's legal action "
'and infrastructure '
'takedowns to disrupt '
'RaccoonO365 operations.',
"Cloudflare's ban on "
'identified domains and '
'termination of malicious '
'scripts.',
'Enhanced monitoring for '
'AI-powered phishing (e.g., '
'RaccoonO365 AI-MailCheck).',
'Public-private '
'collaboration to share '
'indicators of compromise '
'(IOCs) and tactics.'],
'root_causes': ['Proliferation of '
'phishing-as-a-service models '
'lowering entry barriers for '
'cybercriminals.',
'Effectiveness of MFA bypass '
'techniques in phishing kits.',
'Lack of global law enforcement '
'coordination to apprehend threat '
'actors in jurisdictions like '
'Nigeria.',
'Delayed detection of phishing '
'infrastructure (operational since '
'at least July 2024).']},
'recommendations': ['Organizations should enforce advanced MFA solutions '
'resistant to phishing (e.g., FIDO2, hardware tokens).',
'Monitor for credential stuffing and anomalous login '
'attempts, especially from high-risk geolocations.',
'Educate employees on tax-themed and other targeted '
'phishing campaigns.',
'Implement domain/URL filtering to block known phishing '
'infrastructure.',
'Healthcare and other high-risk sectors should '
'participate in threat-sharing initiatives (e.g., ISACs).',
'Law enforcement and tech companies should prioritize '
'disruption of phishing-as-a-service operations.'],
'references': [{'source': 'Microsoft Digital Crimes Unit Blog (Steven '
'Masada)'},
{'source': 'Cloudflare Blog'},
{'source': 'The Register (Article)'}],
'regulatory_compliance': {'legal_actions': ['Lawsuit by Microsoft/Health-ISAC',
'Restraining order (US '
'jurisdiction only)']},
'response': {'communication_strategy': ['Public disclosure via '
'Microsoft/Cloudflare blogs',
'Coordination with Health-ISAC'],
'containment_measures': ['Seizure of 338 RaccoonO365 websites',
'Cloudflare takedown of domains/Worker '
'accounts',
"Interstitial 'phish warning' pages",
'Termination of Workers scripts',
'Suspension of user accounts'],
'incident_response_plan_activated': True,
'law_enforcement_notified': ['Criminal referral to international '
'law enforcement (Ogundipe)'],
'remediation_measures': ['Lawsuit against Ogundipe and '
'associates',
'Restraining order (limited to US '
'jurisdiction)'],
'third_party_assistance': ['Cloudflare', 'Health-ISAC']},
'stakeholder_advisories': ['Microsoft customers advised to reset compromised '
'credentials and enable advanced MFA.',
'Healthcare organizations warned of targeted '
'phishing risks.'],
'threat_actor': {'affiliation': 'RaccoonO365',
'background': 'Computer programming; believed to have '
'authored majority of the RaccoonO365 code',
'location': 'Nigeria',
'name': 'Joshua Ogundipe'},
'title': 'Microsoft Seizes 338 RaccoonO365 Phishing Websites, Identifies '
'Leader Joshua Ogundipe',
'type': ['phishing',
'credential theft',
'phishing-as-a-service (PhaaS)',
'fraud',
'cybercrime infrastructure takedown'],
'vulnerability_exploited': ['human vulnerability (social engineering)',
'MFA bypass techniques',
'lack of user awareness']}