SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Australia

Guides

#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware

Search

Masked cybercriminal at computer global online phishing operations
#
Malware
#
Ransomware
#
MFA

Microsoft disrupts RaccoonO365 phishing operation targeting 365 users

Wed, 17th Sep 2025
Author image
By Sean Mitchell, Publisher

Microsoft has taken legal action to disrupt the RaccoonO365 phishing service used by cybercriminals to steal Microsoft 365 usernames and passwords worldwide.

With a court order from the Southern District of New York, Microsoft's Digital Crimes Unit (DCU) seized 338 websites linked to RaccoonO365, disconnecting the service's technical infrastructure and blocking criminals' access to victims.

According to Microsoft, RaccoonO365's services have facilitated the theft of about 5,000 Microsoft credentials in 94 countries. In Australia alone, around 420 victims have been affected. Although not all stolen credentials result in full network compromise or fraud, these figures illustrate the seriousness of the threat, with social engineering remaining a frequent tactic for cybercriminals.

Accessible phishing tools

Microsoft describes RaccoonO365, tracked internally as Storm-2246, as a subscription-based phishing kit allowing customers with minimal technical expertise to imitate Microsoft communications and deceive targets. The kit uses Microsoft branding to make fraudulent emails, attachments, and websites appear authentic and increase the likelihood that recipients will unwittingly surrender their credentials.

"This case shows that cybercriminals don't need to be sophisticated to cause widespread harm - simple tools like RaccoonO365 make cybercrime accessible to virtually anyone, putting millions of users at risk."

The accessibility of such phishing kits is enabling a wider range of individuals to engage in cybercrime without requiring advanced technical skills. The tools allow users to input up to 9,000 target email addresses per day and employ various techniques to bypass multi-factor authentication (MFA).

Sector targeting and public safety

RaccoonO365 has been used to target multiple sectors. Microsoft highlighted an extensive tax-themed campaign against over 2,300 US organisations, with particular concern for attacks on at least 20 US healthcare organisations. Attacks on hospitals, which can delay or disrupt patient care and compromise sensitive data, prompted Microsoft to file the lawsuit in partnership with Health-ISAC, a global non-profit focused on cybersecurity for the health sector.

"RaccoonO365 phishing emails are often a precursor to malware and ransomware, which have severe consequences for hospitals. In these attacks, patient services are delayed, critical care is postponed or canceled, lab results are compromised, and sensitive data is breached, causing major financial losses and directly impacting patients. These severe consequences are a key reason why the DCU is filing this lawsuit in partnership with Health-ISAC - a global non-profit focused on cybersecurity and threat intelligence for the health sector."

Service evolution and leadership

Microsoft's investigation identified Joshua Ogundipe, based in Nigeria, as the leader of the RaccoonO365 operation. Ogundipe and associates marketed their service through Telegram, boasting a customer base of more than 850 members and at least USD $100,000 in cryptocurrency payments, reflecting an estimated 100-200 subscriptions. These subscriptions are not single-use, enabling subscribers to send thousands of phishing emails daily, which may result in hundreds of millions of malicious messages every year.

"Ogundipe and his associates each have specialized roles within the cybercriminal organization, and together they develop, and sell the service, while providing customer support to help other cybercriminals steal information from Microsoft users. To mask their criminal enterprise and evade detection, they registered Internet domains using fictitious names and physical addresses that are purportedly located in multiple cities and countries."

The rapid evolution of RaccoonO365 includes regular upgrades and the launch of features such as an AI-powered service, RaccoonO365 AI-MailCheck, intended to expand the scale and effectiveness of operations.

Microsoft reported that an operational security error, where the actors inadvertently exposed a cryptocurrency wallet, helped link Ogundipe to the operation. An official referral for Ogundipe has been sent to international law enforcement agencies.

Global cybercrime challenge

Microsoft views RaccoonO365 as indicative of a global trend in cybercrime, pointing to the increasing scalability and accessibility of such threats. In response, Microsoft is adopting technologies like blockchain analysis tools, including Chainalysis Reactor, to trace cryptocurrency transactions and support investigations. The company also partners with security firms, such as Cloudflare, to swiftly take down malicious online infrastructure.

"In legal cases, we also collaborate with security companies like Cloudflare to swiftly seize and take down malicious infrastructure. In doing so, we cut off the actor's revenue streams, sow distrust among their would-be customers, and send a clear signal that Microsoft and its partners will remain persistent in going after those who target our systems. Importantly, filing a lawsuit is just the start. We always expect actors to try to rebuild their operations. That means the DCU will continue to take additional legal steps in the case to dismantle any new or reemerging infrastructure."

Microsoft notes the limitations of international law enforcement, with cybercriminals often exploiting jurisdictional gaps. The company calls for greater international cooperation among governments to align cybercrime laws, streamline prosecutions, and close legal loopholes. Microsoft also advises organisations and individuals to strengthen their security by enabling strong MFA on accounts, maintaining current anti-phishing tools, and educating users about cyber threats.

Sector cooperation

Microsoft stresses the importance of cooperation across industries, security firms, and non-profits in countering cybercrime:

"Finally, this operation shows what's possible when different sectors cooperate - from tech companies to security firms to non-profits - each bringing unique expertise to disrupt criminal networks. By uniting the strengths of industry, civil society, and governments, we can make a greater impact on the entire cybercriminal ecosystem. Microsoft remains committed to working with others - across borders and sectors - to combat this ever-evolving threat and help build a safer digital world."
Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
Tenable named leader in 2025 Gartner quadrant for exposure platforms
Social media overtakes email as UK’s top scam channel, study finds
Duality & Google Cloud launch confidential AI with GPU power
Arista & Palo Alto Networks launch new AI-era data centre security
Instagram posts fuel surge in money mule recruitment schemes

Top stories

Most organisations neglect key security in rapid AI adoption
Average ransomware payments in Australia halve to USD $711,000
Job & financial scams surge as cost pressures hit Australia & NZ
Labour shortages & rising costs stall Australia’s productivity
Wrap up of Commvault Cloud Unity unifies data, cyber & identity resilience