Andrey Popov - stock.adobe.com

News

Microsoft scores win against Office 365 credential thieves

Microsoft’s Digital Crimes Unit disrupts a major phishing-as-a-service operation that targeted and stole Office 365 usernames and credentials

Alex Scroxton
By
Published: 17 Sep 2025 16:25

Investigators from Microsoft’s Digital Crimes Unit (DCU) have disrupted the network behind the dangerous RaccoonO365 infostealer malware that targeted the usernames and credentials of Office 365 users after being granted a court order in the Southern District of New York.

The operation saw a total of 338 websites linked to the popular malware seized and its technical infrastructure disrupted, severing RaccoonO365 users’ access to their victims.

RaccoonO365 – which was tracked in Microsoft’s threat actor matrix as Storm-2246 – was a relatively unsophisticated, subscription-based phishing kit that exploited Microsoft’s own branding to make its fake email, attachments and websites seem realistic enough to trick victims into interacting with them.

Microsoft’s Stephen Masada, DCU assistant general counsel, said the case showed that effective cyber criminals did not need to be particularly sophisticated to have an impact: “Since July 2024, RaccoonO365’s kits have been used to steal at least 5,000 Microsoft credentials from 94 countries.

“While not all stolen information results in compromised networks or fraud due to the variety of security features employed to remediate threats, these numbers underscore the scale of the threat and how social engineering remains a go-to tactic for cyber criminals. 

“More broadly, the rapid development, marketing and accessibility of services such as RaccoonO365 indicate that we are entering a troubling new phase of cyber crime where scams and threats are likely to multiply exponentially.”

The DCU operation appears to have come at the right time as in the past 12 months, Microsoft said RaccoonO365 had undergone a rapid technical evolution with regular upgrades to meet rising demand.

Among other things, users were able to input 9,000 target email addresses every day, and could also “benefit” from on-board features that enabled them to circumvent multi-factor authentication (MFA) safeguards and establish persistent access on their victims’ computers.

In the past few months, RaccoonO365’s operators also started advertising an AI service that supposedly enabled users to scale their operations and improve the effectiveness of their attacks.

Leadership identified

At the same time, the DCU has named a Nigerian national, Joshua Ogundipe, as the leader of the enterprise behind RaccoonO365. He was identified following an operational security lapse in which the gang accidentally revealed a secret cryptocurrency wallet, which the DCU said greatly helped with attribution.

It accused Ogundipe and associates of selling their services via Telegram to their customers, estimated to be around 100 to 200 subscriptions based on the group’s membership of 845 (as of 25 August) – although this is likely an underestimate.

Healthcare sector a target

Although the DCU found RaccoonO365 had been used indiscriminately, it said there was evidence of its use in cyber attacks affecting at least 20 healthcare organisations in the United States.

Since RaccoonO365 emails are known to have been used as a precursor to ransomware attacks, Masada said the malware was a far more serious threat to public safety than it might otherwise appear, given the dire consequences of ransomware attacks on health organisations.

This factor was a key reason why the DCU filed its initial suit against RaccoonO365 – for which it partnered with Florida-based health sector security non-profit Health-ISAC.

According to Cloudflare, which worked with the DCU throughout the takedown, access to the RaccoonO365 phishing kit was sold on a subscription basis, with 30-day plans available for $355 and 90-day plans for $999, payable in various forms of cryptocurrency.

Alongside his associates, Ogundipe, who supposedly has a background in computer programming and is thought to have written the bulk of RaccoonO365, ran a seemingly professional organisation with specialist development, sales and customer support resources.

To obfuscate their activities, the gang registered multiple internet domains with fake names and addresses around the world, although screengrabs of Ogundipe’s LinkedIn profile shared by the DCU suggest he may be located in Benin City in southern Nigeria.

A criminal referral for his arrest has been circulated to international law enforcement. However, whether or not he ever faces justice is unknown, said Masada.

“Legal challenges persist, especially in places where prosecuting cyber criminals is difficult. Today’s patchwork of international laws remains a major obstacle and cyber criminals exploit these gaps,” said Masada.

“Governments must work together to align their cyber crime laws, speed up cross-border prosecutions and close the loopholes that let criminals operate with impunity. The international community should also support nations that are working to strengthen their defences, while holding accountable those that turn a blind eye to cyber crime.

“While we press forward in the courts, organisations and individuals should also continue to bolster their defences. That means enabling strong multi-factor authentication on accounts, using up-to-date anti-phishing and security tools, and educating users to stay vigilant against evolving scams.” 

Read more about phishing as a service

  • A phishing kit is a collection of tools assembled to make it easier for people with little technical skill to launch a phishing exploit. Learn more.
  • Phishing is a perennial thorn in the side of enterprise security. Thanks to phishing-as-a-service offerings and phishing kits, the problem will only get worse.
  • Microsoft’s Digital Crimes Unit has conducted a successful takedown of almost 250 malicious websites used in the cyber criminal ONNX phishing-as-a-service operation.

Read more on Hackers and cybercrime prevention