Microsoft has seized 338 websites associated with RaccoonO365 and identified the leader of the phishing service – Joshua Ogundipe – as part of a larger effort to disrupt what Redmond’s Digital Crimes Unit calls the “fastest-growing tool used by cybercriminals to steal Microsoft 365 usernames and passwords.”
The criminal operation sold subscriptions to its RaccoonO365 Suite of phishing kits, ranging from a 30-day plan for $335 to a 90-day subscription for $999, via a private Telegram channel with more than 850 members, according to separate blogs from Steven Masada, Microsoft’s DCU assistant general counsel, and Cloudflare, which also participated in the website takedown.
Since July 2024, these phishing kits have been used by other criminals to steal at least 5,000 Microsoft credentials from 94 countries, raking in at least $100,000 in cryptocurrency payments for Ogundipe and his affiliates, Masada said. “We estimate that this amount reflects approximately 100-200 subscriptions, which is likely an underestimate of the total subscriptions sold,” he added.
RaccoonO365’s customers can use the service to input up to 9,000 target email addresses per day, bypass multi-factor authentication (MFA), steal user credentials, and gain persistent access to victims’ systems.
The stolen info and system access can then be sold to other criminals, and used for financial fraud, ransomware and extortion, and initial access from which to launch larger cyberattacks.
Most recently, the criminal operation started advertising a new AI-powered service, RaccoonO365 AI-MailCheck, to scale attacks and boost their effectiveness.
In late August, Microsoft filed a lawsuit against Joshua Ogundipe and four of his associates listed as John Does, and, in early September, obtained a court order allowing the DCU to seize the 338 websites associated with RaccoonO365.
The court also granted a restraining order against Ogundipe and the four Does, but with Ogundipe in Nigeria, the restraining order carries little weight beyond the US. Ogundipe and associates remain free and have not been taken into police custody, although Microsoft notes that a “criminal referral for Ogundipe has been sent to international law enforcement.”
“Based on Microsoft’s analysis, Ogundipe has a background in computer programming and is believed to have authored the majority of the code,” Masada wrote. “An operational security lapse by the threat actors in which they inadvertently revealed a secret cryptocurrency wallet helped the DCU’s attribution and understanding of their operations.”
In coordination with Microsoft, Cloudflare, in early September, executed a coordinated takedown of hundreds of domains and Worker accounts linked to RaccoonO365, thus dismantling the criminals’ infrastructure on Cloudflare’s network.
“We then banned all identified domains, placed interstitial ‘phish warning’ pages in front of them, terminated the associated Workers scripts, and suspended the user accounts to prevent re-registration,” Cloudflare wrote.
In one recent tax-themed phishing campaign, RaccoonO365’s kits were used to target more than 2,300 US organizations. The criminal service has also been used against at least 20 American healthcare organizations, and, as such, the global threat-intel nonprofit Health-ISAC is also a plaintiff in the lawsuit. ®