{"id":2848,"date":"2025-09-17T11:55:10","date_gmt":"2025-09-17T11:55:10","guid":{"rendered":"https:\/\/ft365.org\/index.php\/2025\/09\/17\/microsoft-disrupts-raccoono365-phishing-kit-seizes-338-malicious-sites\/"},"modified":"2025-09-17T11:55:10","modified_gmt":"2025-09-17T11:55:10","slug":"microsoft-disrupts-raccoono365-phishing-kit-seizes-338-malicious-sites","status":"publish","type":"post","link":"http:\/\/ft365.org\/index.php\/2025\/09\/17\/microsoft-disrupts-raccoono365-phishing-kit-seizes-338-malicious-sites\/","title":{"rendered":"Microsoft Disrupts RaccoonO365 Phishing Kit, Seizes 338 Malicious Sites"},"content":{"rendered":"
\n

\"Photo<\/p>\n<\/div>\n

\n

Microsoft has announced the disruption of RaccoonO365, a popular subscription-based phishing kit focused on the theft of Microsoft365 credentials.<\/p>\n

The tech giant\u2019s Digital Crimes Unit (DCU) successfully seized 338 websites associated with RaccoonO365, which Microsoft tracks as Storm-2246.<\/p>\n

The operation has severely curtailed the phishing kit\u2019s technical infrastructure, cutting off criminals\u2019 access to victims, according to Microsoft\u00a0which published details on September 16.<\/p>\n

The action was taken after the DCU obtained a court order from the Southern District of New York.<\/p>\n

As part of its investigation, the DCU also identified the leader of the RaccoonO365 network, Joshua Ogundipe, who is based in Nigeria.<\/p>\n

Microsoft said Ogundipe and his associates marketed and sold their services on Telegram to a customer base currently made up of 850 members.<\/p>\n

To evade detection, the operators registered Internet domains using fictitious names and physical addresses that are purportedly located in multiple cities and countries<\/p>\n

Ogundipe is believed to have authored the majority of the code used in RaccoonO365\u2019s infrastructure. Microsoft revealed that the operators inadvertently revealed a secret cryptocurrency wallet, which helped the DCU\u2019s attribution and understanding of their operations.<\/p>\n

It is estimated that Ogundipe and his associates have received at least $100,000 in cryptocurrency payments from users of the phishing service.<\/p>\n

\u201cWe estimate that this amount reflects approximately 100-200 subscriptions, which is likely an underestimate of the total subscriptions sold,\u201d Microsoft wrote.<\/p>\n

\u201cImportantly, the subscriptions are not single-use, meaning that a single RaccoonO365 subscription allows a criminal to send thousands of phishing emails a day \u2013 adding up to potentially hundreds of millions of malicious emails a year sent through this platform,\u201d the firm added.<\/p>\n

A criminal referral for Ogundipe has been sent to international law enforcement.<\/p>\n

Phishing Kit Responsible for Theft of 5000 Microsoft Credentials<\/strong><\/h2>\n

RaccoonO365\u2019s services, which were launched in July 2024, have been used to steal at least 5000 Microsoft credentials from 94 countries.<\/p>\n

It has been used to target all industries, including an extensive tax-themed phishing campaign targeting over 2300 organizations in the US.<\/p>\n

RaccoonO365 kits have also been used to target at least 20 US healthcare organizations.<\/p>\n

This was a key reason Microsoft filed its lawsuit in partnership with Health-ISAC \u2013 a global non-profit focused on cybersecurity and threat intelligence in the health sector.<\/p>\n

Credentials stolen via these phishing emails are often a precursor to malware and ransomware, Microsoft noted.<\/p>\n

RaccoonO365 phishing kits enable attackers to use Microsoft branding to make fraudulent emails, attachments and websites appear legitimate.<\/p>\n

These campaigns entice victims to enter their credential information.<\/p>\n

The service also includes techniques to evade multi-factor authentication (MFA) protections.<\/p>\n

This enables RaccoonO365 users, including those with limited technical skills, to launch sophisticated phishing attacks.<\/p>\n

Customers can use the service to target 9000 email addresses per day, according to Microsoft.<\/p>\n

Recently, RaccoonO365 operators have started advertising a new AI-powered service, RaccoonO365 AI-MailCheck, designed to scale operations and increase the sophistication of attacks.<\/p>\n

\u201cThe rapid development, marketing, and accessibility of services like RaccoonO365 indicate that we are entering a troubling new phase of cybercrime where scams and threats are likely to multiply exponentially,\u201d Microsoft wrote.<\/p>\n<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"

Microsoft has announced the disruption of RaccoonO365, a popular subscription-based phishing kit focused on the theft of Microsoft365 credentials. The tech giant\u2019s Digital Crimes Unit (DCU) successfully seized 338 websites associated with RaccoonO365, which Microsoft tracks as Storm-2246. The operation has severely curtailed the phishing kit\u2019s technical infrastructure, cutting off criminals\u2019 access to victims, according<\/p>\n","protected":false},"author":2,"featured_media":2849,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-2848","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"featured_image_urls":{"full":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2848-b68466f7-2dc4-435d-9356-1215bc5c76c9.jpg",300,300,false],"thumbnail":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2848-b68466f7-2dc4-435d-9356-1215bc5c76c9-150x150.jpg",150,150,true],"medium":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2848-b68466f7-2dc4-435d-9356-1215bc5c76c9.jpg",300,300,false],"medium_large":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2848-b68466f7-2dc4-435d-9356-1215bc5c76c9.jpg",300,300,false],"large":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2848-b68466f7-2dc4-435d-9356-1215bc5c76c9.jpg",300,300,false],"1536x1536":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2848-b68466f7-2dc4-435d-9356-1215bc5c76c9.jpg",300,300,false],"2048x2048":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2848-b68466f7-2dc4-435d-9356-1215bc5c76c9.jpg",300,300,false],"morenews-featured":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2848-b68466f7-2dc4-435d-9356-1215bc5c76c9.jpg",300,300,false],"morenews-large":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2848-b68466f7-2dc4-435d-9356-1215bc5c76c9.jpg",300,300,false],"morenews-medium":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2848-b68466f7-2dc4-435d-9356-1215bc5c76c9.jpg",300,300,false],"crawlomatic_preview_image":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2848-b68466f7-2dc4-435d-9356-1215bc5c76c9-146x146.jpg",146,146,true]},"author_info":{"display_name":"henry","author_link":"http:\/\/ft365.org\/index.php\/author\/henry\/"},"category_info":"Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","_links":{"self":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/2848","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/comments?post=2848"}],"version-history":[{"count":0,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/2848\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media\/2849"}],"wp:attachment":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media?parent=2848"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/categories?post=2848"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/tags?post=2848"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}