Microsoft and Cloudflare have neutralized RaccoonO365, a phishing kit sold on a subscription basis. Run by a Nigerian national, it massively targeted Office 365 accounts worldwide. Backed by Cloudflare, Microsoft obtained a court order to seize 338 sites linked to RaccoonO365, a phishing kit rented out for $365 (€340) per month. Developed by Nigerian citizen Joshua Ogundipe, the tool was used to steal thousands of Microsoft credentials in 94 countries, bypassing multi-factor authentication. Distributed via Telegram, it relied on a fraudulent infrastructure hidden behind fake domain registrations. Investigators estimate the group collected at least $100,000 (€93,000) in cryptocurrency.
An industrialized phishing tool
RaccoonO365 operated as a service-on-demand. Subscribers paid $365 (€341) per month for access to a ready-to-use kit. The software mimicked Microsoft’s visual identity and generated fake emails, attachments, and Office 365 login pages. Nearly 9,000 addresses were targeted daily. Victims received messages with attachments containing a link or QR code. Once past a CAPTCHA, they were redirected to a fake login page where their credentials were captured.
According to Steven Masada, an attorney in Microsoft’s Digital Crimes Unit, the kit has already stolen at least 5,000 accounts in 94 countries. The operation relied on constant updates: the RaccoonO365 team added new features as demand grew, including an artificial intelligence module to automate campaigns.
A structured criminal network
Microsoft’s investigation identified Joshua Ogundipe, a Nigerian national, as the main developer of the kit. Based in Benin City according to a LinkedIn profile, he reportedly wrote most of the code. Along with his associates, he also marketed the service through a Telegram channel with 850 members. The group even managed customer support for their cybercriminal clients.
Microsoft estimates that RaccoonO365 generated at least $100,000 (€93,400) in cryptocurrency, likely only a fraction of the real gains. The investigation advanced after the discovery of a hidden crypto wallet. To cover their tracks, Ogundipe and his network registered domains using fake identities and fictitious addresses spread across several countries. Microsoft reported the case to international authorities, without specifying if Nigeria was officially notified. Cloudflare, involved in the takedown, observed that certain linguistic traces suggested connections with Russian-speaking cybercriminals. Microsoft, more cautious, only confirmed that both victims and customers of the service were spread worldwide.
A global infrastructure neutralized
Microsoft obtained court approval to seize 338 websites linked to the tool. Cloudflare complemented the operation by blocking hundreds of additional domains and accounts. The company detailed how the group exploited its services to host and conceal phishing kits.
Campaigns identified by Cloudflare were not limited to Microsoft. Attackers also impersonated brands such as Adobe, Maersk, and DocuSign. Distributed files imitated contracts, invoices, or HR documents, sometimes personalized with the victim’s name.
For Microsoft, the rise of RaccoonO365 illustrates a worrying trend: the rapid multiplication of subscription-based criminal services capable of automating complex attacks. As Steven Masada noted, threats “are bound to grow exponentially.”
The dismantling of RaccoonO365 demonstrates the effectiveness of public-private cooperation but also highlights the growing industrialization of phishing. The next step for cybercriminals may be the full automation of attacks using AI. [ZATAZ News English version]
