Microsoft announced on Tuesday that it has taken control of 338 websites connected to a Nigerian business that lets users conduct phishing attacks through the Digital Crimes Unit (DCU).
The Digital Crimes Unit (DCU) as it is called of Microsoft announced that it had taken down RaccoonO365, a subscription-based phishing business that was suspected of collecting thousands of Microsoft 365 login credentials.
Assistant General Counsel for Microsoft’s Digital Crimes Unit Steven Masada said the program, named “Raccoon0365,” enabled users to participate in phishing campaigns that involved thousands of emails at a time.
The phishing attempt ultimately resulted in the theft of at least 5,000 Microsoft user credentials as Joshua Ogundipe, a Nigerian, was recognised by the business as the operation’s commander.
Phishing is a type of cybercrime when criminals pose as reliable websites in an attempt to trick consumers into disclosing private information, such as banking information or passwords.
The DCU shut down the infrastructure that hackers used to host phoney Microsoft login pages and transit stolen data by taking over 338 websites connected to the service through a U.S. court order from the Southern District of New York.
Microsoft claims that RaccoonO365 provided simple phishing kits on Telegram that allowed even inexperienced thieves to mimic Microsoft communications and gather passwords and credentials.
The kits have been used in 94 countries to steal at least 5,000 Microsoft credentials since July 2024, according to the company. A single subscription can send thousands of phishing emails per day, increasing to hundreds of millions of malicious emails annually due to the reusable nature of subscriptions.
Ogundipe and his friends were found to be doing specialised functions within the company, including creating the code, selling subscriptions, and offering customer service to other cybercriminals, according to Microsoft’s study.
They registered Internet domains using fake names and physical addresses that are allegedly spread across several cities and nations in order to conceal their illicit activity and avoid detection.
The majority of the code is thought to have been written by Ogundipe, who has experience in computer programming, according to Microsoft’s study, the company said.
It also revealed that the threat actors’ operational security breach, in which they unintentionally made a secret bitcoin wallet public that aided the DCU in identifying and comprehending their activities.
Microsoft further stated, “International law enforcement has received a criminal referral for Ogundipe.”
With the risks to public safety and healthcare, Microsoft pointed out that RaccoonO365 was using its phishing kits in campaigns that targeted vital industries, not merely obtaining passwords for fraudulent purposes.
The kits have been deployed against at least 20 U.S. healthcare institutions, according to the DCU, which discovered a tax-themed campaign that affected over 2,300 organisations, primarily in the United States.
Such campaigns, according to Microsoft and partner Health-ISAC, may come before ransomware and malware assaults that compromise patient care, cause delays in services, and reveal private health information.
Microsoft claims that the DCU is bringing this case in collaboration with Health-ISAC, a global non-profit organisation that specialises in cybersecurity and threat intelligence for the healthcare industry, in large part because of these dire repercussions.
More revelations from Microsoft also disclosed that RaccoonO365 has rapidly changed in less than a year, releasing frequent updates to satisfy growing demand.
This quick expansion emphasises how urgent it is to file a lawsuit in order to put an end to RaccoonO365’s operations.
Customers can utilise RaccoonO365’s services to enter up to 9,000 target email addresses every day and apply advanced strategies to get beyond multi-factor authentication safeguards in order to steal user credentials and obtain ongoing access to victims’ systems.
In order to grow operations and raise the complexity and efficacy of attacks, the group most recently began promoting RaccoonO365 AI-MailCheck, a new AI-powered service.
Microsoft was the most impersonated brand, according to a recent Check Point Research research, which showed that it was present in 25% of all phishing attempts worldwide between April and June 2025. This record was made worse by networks such as Raccoon0365.
The phishing works with more than 850 members, Raccoon0365 runs a private Telegram channel.
By using phoney Microsoft platforms, the service allows users to pose as well-known brands and trick targets into entering their login credentials. Since its introduction in July 2024, the service has brought in at least $100,000 (€84,425) in cryptocurrency payments for its operators, according to Microsoft’s Masada.
According to Masada, a sizable portion of the industries that Raccoon0365 users targeted were New York City-based businesses.
Phishing kits that allowed for the impersonation of Microsoft emails were disseminated via Telegram. Attackers can send thousands of phishing emails every day thanks to subscriptions, reaching hundreds of millions annually.
The attackers’ operational security blunder, which exposed a bitcoin wallet connected to their infrastructure, is partly responsible for Microsoft’s success. This aided in network mapping and tracing.
The service has been developing quickly, even producing more sophisticated and large-scale solutions like “RaccoonO365 AI-MailCheck.”
We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.
