Microsoft and Cloudflare have taken down RaccoonO365, a subscription-based phishing kit. Operated by a Nigerian developer, it massively targeted Office 365 accounts worldwide.
Microsoft, backed by Cloudflare, secured a court order to seize 338 websites linked to RaccoonO365, a phishing kit rented out for $365 (≈ €341) per month. Created by Nigerian national Joshua Ogundipe, the tool was used to steal thousands of Microsoft credentials in 94 countries while bypassing multi-factor authentication. Distributed via Telegram, it relied on fraudulent infrastructure masked by fake domain registrations. Investigators estimate the group collected at least $100,000 (≈ €93.4k) in cryptocurrency. The case highlights the increasing sophistication of phishing kits, now enhanced by artificial intelligence, and raises new concerns about cross-border alliances between cybercriminals.
An Industrialized Phishing Tool
RaccoonO365 operated as an on-demand service. Subscribers paid $365 (≈ €341) per month for access to a ready-to-use kit. The software mimicked Microsoft’s branding to generate fake emails, attachments, and Office 365 login pages. Nearly 9,000 addresses were targeted daily. Victims received messages with attachments containing a link or QR code. After solving a CAPTCHA, they were redirected to a fake login page where their credentials were harvested.
According to Steven Masada, an attorney with Microsoft’s Digital Crimes Unit, the kit has already stolen at least 5,000 accounts across 94 countries. The operation was under constant development, with the RaccoonO365 team adding new features to meet demand, including an AI-powered module to automate campaigns.
Microsoft’s investigation identified Nigerian national Joshua Ogundipe as the main developer of the kit. Based in Benin City according to a LinkedIn profile, he allegedly wrote most of the code. Alongside partners, he also handled service promotion through a Telegram channel with 850 members. The group even provided customer support for cybercriminal buyers.
Microsoft estimates RaccoonO365 generated at least $100,000 (≈ €93.4k) in cryptocurrency, likely just a fraction of the true earnings. The probe advanced after investigators uncovered a hidden crypto wallet. To cover their tracks, Ogundipe and his network registered domains using fake identities and addresses spread across multiple countries. Microsoft has reported the case to international authorities but did not specify whether Nigeria has been formally notified.
Cloudflare, which took part in the takedown, noted that some linguistic traces suggested ties to Russian-speaking cybercriminals. Microsoft, more cautious, confirmed only that both victims and customers of the service were spread worldwide.
A Global Infrastructure Taken Down
Microsoft obtained court authorization to seize 338 websites tied to the tool. Cloudflare reinforced the operation by blocking hundreds of additional domains and accounts. The company detailed how the group exploited its services to host and conceal phishing kits.
Cloudflare’s investigation showed the campaigns were not limited to Microsoft. Attackers also impersonated brands such as Adobe, Maersk, and DocuSign. The files they distributed mimicked contracts, invoices, or HR documents, sometimes personalized with the victim’s name.
For Microsoft, the rise of RaccoonO365 illustrates a troubling trend: the rapid proliferation of subscription-based criminal services capable of automating complex attacks. As Steven Masada notes, these threats “are set to grow exponentially.”
The dismantling of RaccoonO365 demonstrates the effectiveness of public-private partnerships, but it also underlines the growing industrialization of phishing. The next step for cybercriminals may be fully automated AI-driven attacks. [ZATAZ News English version]
