Particle.news
Download on the App Store
16 ARTICLES
·
yesterday

Microsoft, Cloudflare Seize 338 Domains to Disrupt RaccoonO365 Phishing Service

Microsoft named Nigeria-based Joshua Ogundipe as the alleged leader, with a criminal referral sent to international law enforcement.

A view shows a Microsoft logo at Microsoft offices in Issy-les-Moulineaux near Paris, France, March 21, 2025. REUTERS/Gonzalo Fuentes/File Photo
Image
Microsoft 365 phishing
Image

Overview

  • Acting on a Southern District of New York court order, Microsoft’s Digital Crimes Unit seized 338 domains as Cloudflare banned linked domains, terminated Workers scripts, and suspended associated accounts.
  • Since July 2024, the subscription-based PhaaS sold via a private Telegram channel has enabled the theft of at least 5,000 Microsoft 365 credentials across 94 countries, generating at least $100,000 in cryptocurrency.
  • RaccoonO365’s kits proxy logins to capture passwords and session cookies to bypass MFA, support campaigns against up to 9,000 targets per day, and were used in a U.S. tax-themed run against more than 2,300 organizations and in attacks on at least 20 healthcare entities.
  • Microsoft filed a civil lawsuit in late August and obtained a restraining order, yet the operators remain at large and have signaled attempts to rebuild by directing subscribers to new links.
  • Investigators linked the operation to Ogundipe through covert kit purchases and blockchain tracing after an exposed crypto wallet, and Microsoft and Cloudflare say mitigation efforts will continue as they urge organizations to strengthen MFA and user awareness.