Cyber Blog

In a joint operation, Microsoft’s Digital Crimes Unit and Cloudflare have dismantled RaccoonO365, a phishing-as-a-service (PhaaS) network, by seizing 338 domains tied to the toolkit. The network had been used to steal over 5,000 Microsoft 365 credentials across 94 countries since July 2024. The action was enabled by a court order from the Southern District of New York, allowing Microsoft to disrupt the infrastructure used by the threat actors.

The takedown process began on September 2, 2025, with follow-up work through September 4, including banning of identified domains, placing warning pages in front of them, disabling associated Cloudflare Workers scripts, and suspending user accounts. The final phase was completed by September 8.

Known internally by Microsoft as “Storm-2246,” RaccoonO365 is marketed under the name Morado.io to other cybercriminals via a subscription model. Plans range in price—$355 for 30 days and $999 for 90 days—with the promise that buyers need little technical skill to use the tool for large-scale phishing and credential harvesting operations.

Since about September 2024, campaigns using RaccoonO365 have mimicked well-known brands like Microsoft, DocuSign, SharePoint, Adobe, and Maersk, sending fraudulent emails that lead to look-alike phishing pages to capture Microsoft 365 credentials. Often, these phishing messages serve as a prelude to malware or ransomware deployment. The service also used legitimate features—such as Cloudflare’s Turnstile CAPTCHA—and scripts to detect bots or automated access, which let only intended targets interact with the phishing pages.

Microsoft said that over 2,300 U.S. organizations were targeted, including at least 20 in the healthcare sector. Users in RaccoonO365 could input up to 9,000 email addresses daily and employ techniques to bypass multi-factor authentication, thereby enabling persistent access to victim systems. Among newer features, the group began advertising an AI-powered service called “RaccoonO365 AI-MailCheck” to improve scaling and sophistication.

The toolkit’s creator is identified as Joshua Ogundipe of Nigeria, who, along with associates, promoted the service on Telegram and received cryptocurrency payments. Microsoft estimates that 100-200 subscriptions were sold, though it believes the real number might be higher. Ogundipe and others remain at large, but Microsoft has passed along criminal referrals to international law enforcement.

Cloudflare said the domain and account takedowns are intended to raise the cost of maintaining such malicious operations, and to send a warning to others who might misuse its infrastructure. In response to the disruption, the operators of RaccoonO365 announced the retirement of all legacy links and encouraged existing customers on shorter plans to migrate to new ones, promising an extra week of service as compensation.