Stay updated with the latest Cybersecurity News on our TecnetBlog.

Microsoft and Cloudflare Take Down RaccoonO365 Phishing Service

Written by Muriel de Juan Lara | Sep 18, 2025 1:15:00 PM

In the world of cybersecurity, some news feels like a breath of fresh air. That’s exactly what happened in September 2025, when Microsoft and Cloudflare joined forces to dismantle RaccoonO365, one of the most dangerous and widely used phishing-as-a-service (PhaaS) platforms globally. This service was behind the theft of thousands of Microsoft 365 credentials across dozens of countries.

In this article from TecnetOne, we’ll explain what RaccoonO365 was, how it worked, why it was so hard to stop, and what this victory means for you.

 

What Was RaccoonO365?

 

RaccoonO365 wasn’t a random group of amateur hackers. It was a well-organized subscription-based phishing service. Think of it as a phishing attack “rental” platform: anyone—even without technical skills—could pay a fee and launch professional-grade credential theft campaigns.

Subscriptions ranged from $355 to $999, providing access to:

 

  1. Fake email templates

 

  1. Microsoft 365 login clones

 

  1. Technical support for running campaigns

 

It had 100–200 active subscribers who collectively sent thousands of phishing emails per day, totaling hundreds of millions per year, and generating over $100,000 in crypto revenue for the admins.

 

How the Attack Worked

 

The target was clear: Microsoft 365 credentials, used by governments, enterprises, and individuals worldwide.

Attackers would send fake emails—impersonating security alerts, invoices, or shared documents. Victims clicking the links were taken to one of 338 cloned websites mimicking the Microsoft 365 login page.

Once credentials were entered, they were sent directly to RaccoonO365-controlled servers, giving attackers access to:

 

  1. Email

 

  1. OneDrive

 

  1. SharePoint

 

  1. Internal systems for further attacks

 

Related titles: Windows 11 to Sync Clipboard with Android: What to Expect

 

The Damage Scope

 

According to Microsoft, RaccoonO365 successfully stole at least 5,000 credentials across 94 countries. The most affected sectors included:

 

  1. Private companies: Strategic and financial data was compromised.

 

  1. Healthcare organizations: Over 20 hospitals and clinics were victims, with impacts like delayed patient care, lab result tampering, and even life-threatening risks.

 

  1. U.S. institutions: Over 2,300 entities suffered tax scam-related attacks.

 

The consequences were severe enough for Microsoft to partner with Health-ISAC, an international healthcare cybersecurity group, and escalate the case legally.

 

How RaccoonO365 Was Taken Down

 

The takedown involved multiple coordinated steps:

 

  1. Civil lawsuit (August 2025): Microsoft filed a complaint with the Southern District Court of New York to gain legal authority to act.

 

  1. Domain seizure: The court allowed Microsoft to seize 338 domains used to host phishing sites.

 

  1. Cloudflare’s technical action (September 2025): Cloudflare removed hundreds of domains and Worker accounts, dismantling the infrastructure powering the phishing campaigns.

 

Together, these legal and technical measures not only interrupted operations but also cut off attacker access to stolen credentials.

 

Who Was Behind It?

 

Microsoft identified Joshua Ogundipe, a Nigerian citizen, as the main mastermind. Far from an amateur, he:

 

  1. Wrote most of the code

 

  1. Managed the service

 

  1. Provided customer support to attackers

 

Though he used fake domains to stay hidden, a leaked crypto wallet allowed investigators to trace his identity. The case has been referred to law enforcement for prosecution.

 

Learn more: Cloudflare: The Outage Was Not a Hack, and Your Data Is Safe

 

The Rise of Phishing-as-a-Service (PhaaS)

 

RaccoonO365 represents the growing trend of cybercrime-as-a-service, especially:

 

  1. Accessibility: No expertise needed—just a subscription.

 

  1. Automation: Prebuilt fake sites, email templates, and scripts.

 

  1. Scalability: One user can launch thousands of attacks daily.

 

This model democratizes cybercrime, making it more dangerous by increasing the number of potential attackers exponentially.

 

What This Means for You

 

While this takedown is excellent news, it’s not the end of phishing. Other groups will try to fill the gap. Here’s what TecnetOne recommends for users and companies:

 

  1. Don’t trust emails blindly: Always verify sender addresses, URLs, and credential requests.

 

  1. Enable MFA: Even if your password is stolen, MFA can stop unauthorized access.

 

  1. Train your team: Most phishing attacks exploit human error.

 

  1. Monitor and protect infrastructure: Use advanced EDR/XDR tools to detect phishing patterns and unauthorized access.

 

  1. Stay informed: Threats evolve fast. Partner with experts like TecnetOne to stay ahead.

 

Final Thoughts

 

RaccoonO365 is a stark reminder that phishing remains one of the most effective and profitable cyberattacks. The Microsoft-Cloudflare alliance shows that collaboration across industries and legal systems is possible—and essential.

But true defense starts with you. Cybersecurity isn’t just about tools—it’s about culture, habits, and continuous prevention.

At TecnetOne, we believe the best protection is constant preparation. This case is a clear reminder: never let your guard down in today’s digital world.
View full post