Microsoft and Cloudflare announced the takedown of the RaccoonO365 Phishing-as-a-Service (PhaaS) operation, which was used to steal thousands of Microsoft 365 credentials.
RaccoonO365 allowed users to create phishing emails, attachments containing links or a QR code, and phishing sites aimed at stealing Microsoft 365 credentials.
In early September 2025, specialists from Microsoft’s Digital Crimes Unit (DCU), together with colleagues from the Cloudforce One and Trust and Safety teams at Cloudflare, seized 338 sites and Worker accounts linked to RaccoonO365.
Microsoft is tracking the hackers behind this service under the codename Storm-2246. It is reported that since July 2024 they have stolen at least 5,000 credentials from users across 94 countries worldwide. For their attacks, the perpetrators used RaccoonO365 phishing kits with CAPTCHA pages and anti-bot protection, which masqueraded as legitimate resources.
For example, the tax-themed RaccoonO365 phishing campaign impacted over 2,300 U.S. organizations in April 2025, and the same phishing kits were used against more than 20 healthcare facilities in the United States.
The stolen credentials, cookies, and other collected information from victims’ OneDrive, SharePoint, and mailboxes were then used for financial fraud, extortion, or served as a point of entry into other systems.
RaccoonO365 phishing kits were distributed by subscription via a private Telegram channel that had more than 840 members as of August 25, 2025. Prices ranged from $355 for a one-month subscription to $999 for three months. The operators accepted payments in USDT and BTC.
According to Microsoft’s estimates, the group earned at least $100,000 in cryptocurrency from RaccoonO365 (that is, it sold at least 100–200 subscriptions), though the real number may be higher.
Cloudflare ended up being involved in this operation because the attackers used its services for their own purposes (including for anti-analysis and evasion of detection).
“Before a request was forwarded to the phishing server, a Cloudflare Workers script inspected it to determine whether it originated from a security researcher, an automated scanner, or a sandbox. If any red flags were detected, the connection was dropped or the client received an error message, effectively hiding the phishing kit,” the company explained.
According to DCU researchers, RaccoonO365 is led by Nigerian national Joshua Ogundipe.
“According to Microsoft, Ogundipe has experience in programming and is the one responsible for writing most of the code. An operational security mistake by the attackers (they accidentally exposed a secret crypto wallet) helped the DCU establish their identities and understand how the scheme worked. All the materials collected on Ogundipe have been handed over to international law enforcement agencies,” the experts write.