Login
iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Powered by MOMENTUMMEDIA
RaccoonO365 phishing kits have stolen at least 5,000 Microsoft credentials since July 2024, including 420 from Australian victims.
Microsoft, in partnership with Cloudflare, revealed overnight that it had successfully seized 338 websites associated with popular phishing kit subscription service RaccoonO365.
RaccoonO365 offered a service that let even less technical cyber criminals conduct sophisticated phishing campaigns targeting Microsoft 365 users. The phishing kits provided by the service are capable of creating what appear to be legitimate emails, complete with Microsoft branding, to lure victims into sharing their credentials.
According to Microsoft, the service was responsible for the theft of 5,000 Microsoft credentials since the middle of 2024 from 94 countries, including 420 from Australian victims.
“While not all stolen information results in compromised networks or fraud due to the variety of security features employed to remediate threats, these numbers underscore the scale of the threat and how social engineering remains a go-to tactic for cyber criminals,” Microsoft said in a blog post.
“More broadly, the rapid development, marketing, and accessibility of services like RaccoonO365 indicate that we are entering a troubling new phase of cyber crime where scams and threats are likely to multiply exponentially.”
Microsoft’s Digital Crimes Unit was able to exercise its takedowns after being granted a court order by the Southern District of New York in August, and with Cloudflare’s assistance, was able to take down hundreds of both domains and worker accounts, dismantling RaccoonO365’s infrastructure on Cloudflare’s network through August and September.
As Cloudflare continued its disruption campaign, however, the hackers behind the service scrambled to reframe the activity and rebuild their networks.
“On September 5th, 2025, following Cloudflare’s mitigation efforts, the RaccoonO365 team posted an announcement on Telegram to reframe the situation for their subscribers,” Cloudflare said in a blog post.
“They presented the disruption as a planned ‘rebirth’ of their service, shutting down old ‘legacy links’ and directing users to a new platform to retain access – a clear attempt to recover from disruptions and retain their customer base by rebuilding their operations on new infrastructure.”
How RaccoonO365 worked
RaccoonO365 offered a range of packages for the discerning scammer. At the bottom end, a cash-strapped criminal could pay US$355 for a 30-day plan on the service, which was sold as “ideal for short-term usage or testing”.
At the upper end, more committed would-be hackers could drop US$999 for a 90-day plan, which the service’s admins said was “perfect for power users running continuous campaigns”.
RaccoonO365’s admins promised zero backdoors and zero tracking, alongside “100 per cent clean, encrypted infrastructure” with real-time support on an allegedly bulletproof hosting service.
Microsoft’s investigations also uncovered the mastermind of the whole enterprise, one Joshua Ogundipe, based in Nigeria, with several other associates.
“As of this filing, they have over 850 members on Telegram and have received at least US$100,000 in cryptocurrency payments. We estimate that this amount reflects approximately 100-200 subscriptions, which is likely an underestimate of the total subscriptions sold,” Microsoft said.
“Importantly, the subscriptions are not single-use, meaning that a single RaccoonO365 subscription allows a criminal to send thousands of phishing emails a day – adding up to potentially hundreds of millions of malicious emails a year sent through this platform.”
International law enforcement has been informed of Ogundipe’s activities.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
