Microsoft seizes 338 websites to disrupt phishing service

Microsoft's Digital Crimes Unit (DCU) has disrupted , the fastest-growing tool used by cybercriminals to steal Microsoft 365 usernames and passwords ("credentials") . Using a court order granted by the Southern District of New York, the DCU seized 338 websites associated with the popular service , disrupting the operation 's technical infrastructure and cutting of f criminals' access to victims . This case shows that cybercriminals don't need to be sophisticated to cause widespread harm - simple tools like RaccoonO365 make cybercrime accessible to virtually anyone , putting millions of users at risk.

RaccoonO365, tracked by Microsoft as Storm-2246, offers subscription-based phishing kits. These let anyone-even those with little technical skill-steal Microsoft credentials by mimicking official Microsoft communications . To deceive users, RaccoonO365's kits use Microsoft branding to make fraudulent emails , attachments , and websites appear legitimate , enticing recipients to open, click , and enter their information.

Since July 2024, RaccoonO365 's kits have been used to steal at least 5,000 Microsoft credentials from 94 countries. While not all stolen information results in compromised networks or fraud due to the variety of security features employed to remediate threats, these numbers underscore the scale of the threat and how social engineering remains a go - to tactic for cybercriminals. More broadly, the rapid development, marketing , and accessibility of services like RaccoonO365 indicate that we are entering a troubling new phase of cybercrime where scams and threats are likely to multiply exponentially.

While RaccoonO365 services are used to target all industries, as evidenced by an extensive tax-themed phishing campaign targeting over 2,300 organizations in the United States , most alarmingly, its kits have been used against at least 20 U.S. healthcare organizations . This puts p ublic safety at risk , as , which have severe consequences for hospitals . In these attacks, patient services are delayed, critical care is postponed or canceled, lab results are compromised, and sensitive data is breached, causing major financial losses and directly impacting patients. Th ese severe consequences are a key reason why the DCU is filing this lawsuit in partnership with Health-ISAC - a global non-profit focused on cybersecurity and threat intelligence for the health sector .

RaccoonO365's r apid e volution and unmask ing its leader

In just over a year , RaccoonO365 has swiftly evolved, rolling out regular upgrades to meet rising demand. This rapid growth underscores why taking legal action now is crucial to stopping RaccoonO365's activities. Using RaccoonO365's services, customers can input up to 9,000 target email addresses per day and employ sophisticated techniques to circumvent multi-factor authentication protections to steal user credentials and gain persistent access to victims' systems. Most recently, the group started advertising a new AI-powered service, RaccoonO365 AI-MailCheck, designed to scale operations and increase the sophistication-and effectiveness-of attacks.

As part of its investigation, the DCU' also identified the leader of the criminal enterprise: Joshua Ogundipe, an individual based in Nigeria. Ogundipe and his associates marketed and sold their services on Telegram to a growing customer base. As of this filing, they have over 850 members on Telegram and have received at least US$100,000 in cryptocurrency payments. We estimate that this amount reflects approximately 100-200 subscriptions, which is likely an underestimate of the total subscriptions sold. Importantly, the subscriptions are not single -use, meaning that a single RaccoonO365 subscription allows a criminal to send thousands of phishing emails a day-adding up to potentially hundreds of millions of malicious emails a year sent through this platform.

Ogundipe and his associates each have specialized roles within the cybercriminal organization , and together they develop , and sell the service , while provid ing customer support to help other cybercriminals steal information from Microsoft users. To mask their criminal enterprise and evade detection, they registered Internet domains using fictitious names and physical addresses that are purportedly located in multiple cities and countries. Based on Microsoft's analysis, Ogundipe has a background in computer programming and is believed to have authored the majority of the code. An operational security lapse by the threat actors in which they inadvertently revealed a secret cryptocurrency wallet helped the DCU's attribution and understanding of their operations. A criminal referral for Ogundipe has been sent to international law enforcement .

Confronting a global cybercrime ecosystem

RaccoonO365 is a case study in a broader trend: cybercrime is global, scalable, and accessible to anyone, regardless of technical skill. To counter RaccoonO365, we acted swiftly to protect our customers and prevent further harm. But criminals constantly evolve, so Microsoft is evolving too. For instance, we are integrating blockchain analysis tools like Chainalysis Reactor into our investigations. These help us trace criminals' cryptocurrency transactions, linking online activity to real identities for stronger evidence.

In legal cases, we also collaborate with security companies like Cloudflare to swiftly seize and take down malicious infrastructure. In doing so, we cut off the actor's revenue streams, sow distrust among their would-be customers, and send a clear signal that Microsoft and its partners will remain persistent in going after those who target our systems. Importantly, filing a lawsuit is just the start. We always expect actors to try to rebuild their operations. That means the DCU will continue to take additional legal steps in the case to dismantle any new or reemerging infrastructure.

Even so, legal challenges persist-especially in places where prosecuting cybercriminals is difficult. Today's patchwork of international laws remains a major obstacle and cybercriminals exploit these gaps. Governments must work together to align their cybercrime laws, speed up cross-border prosecutions, and close the loopholes that let criminals operate with impunity. The international community should also support nations that are working to strengthen their defenses , while holding accountable those that turn a blind eye to cybercrime. While we press forward in the courts, organizations and individuals should also continue to bolster their defenses. That means enabling strong multi-factor authentication on accounts, using up-to-date anti-phishing and security tools, and educating users to stay vigilant against evolving scams .

Finally, this operation shows what's possible when different sectors cooperate-from tech companies to security firms to non-profits-each bringing unique expertise to disrupt criminal networks. By uniting the strengths of industry, civil society, and governments, we can make a greater impact on the entire cybercriminal ecosystem. Microsoft remains committed to working with others-across borders and sectors-to combat this ever-evolving threat and help build a safer digital world.

Tags: Microsoft Digital Crimes Unit, The Digital Crimes Unit