Microsoft has dismantled a large-scale phishing network linked to Raccoon0365, a phishing-as-a-service (PhaaS) platform operated out of Nigeria. The company secured a court order from the U.S. District Court in Manhattan to seize control of 330+ malicious domains used to steal Microsoft user credentials. The action follows a months-long investigation by Microsoft’s Digital Crimes Unit and its partners.
Raccoon0365 enabled subscribers to impersonate trusted brands and create fake login pages, harvesting usernames and passwords from victims across sectors. Microsoft estimates that the network helped steal credentials from at least 5,000 users since its launch in July 2024.
A subscription model for cybercrime
Raccoon0365 operated through a private Telegram channel with more than 850 subscribers. Users paid for access to phishing kits and templates, with the service generating over $100,000 in cryptocurrency revenues. The infrastructure was designed to scale phishing attacks — allowing even low-skill actors to launch campaigns targeting thousands of users at once.
Microsoft named Joshua Ogundipe, based in Nigeria, as the primary operator behind the service in court documents. The seized domains were part of a widespread infrastructure effort that included email campaigns, impersonation of Microsoft sign-in pages, and backend services to collect stolen data.
Targeting U.S. organizations and healthcare providers
Between February 12 and February 28, 2025, Microsoft identified a tax-themed phishing campaign linked to Raccoon0365 that targeted more than 2,300 organizations in the U.S., including government, corporate, and nonprofit sectors.
Health-ISAC, a nonprofit cybersecurity organization for the healthcare sector and co-plaintiff in the case, confirmed that at least five healthcare entities had fallen victim to successful credential harvesting. Overall, the campaign targeted 25 healthcare organizations, highlighting the growing risk to critical infrastructure sectors.
Cloudflare, Secret Service among key collaborators
Microsoft partnered with Cloudflare and the U.S. Secret Service to identify and shut down services used to mask the operation’s backend systems. Cloudflare confirmed that Raccoon0365 leveraged its platform to conceal infrastructure and evade takedowns. Once identified, Cloudflare moved to block access and prevent the group from opening new accounts.
Despite several operational errors, the group remained highly effective, according to threat intelligence experts. Their tactics illustrate how accessible cybercrime has become — enabling widespread attacks without requiring deep technical skill.
Implications for enterprise security
The Raccoon0365 takedown highlights a growing trend of cybercrime-as-a-service offerings that lower barriers for attackers. Organizations must defend against highly convincing phishing campaigns at scale. Security leaders are urged to deploy phishing-resistant multifactor authentication, train employees to recognize spoofed domains, and monitor for brand impersonation campaigns.
The campaign shows how even basic tools — when deployed at scale — can compromise thousands of accounts, disrupt operations, and put sensitive data at risk.
Source: Reuters
