Microsoft says it has disrupted RaccoonO365, a subscription-based phishing service accused of stealing thousands of Microsoft 365 credentials.
The company’s Digital Crimes Unit (DCU) said it identified Nigeria-based Joshua Ogundipe as the leader of the operation. Using a U.S. court order from the Southern District of New York, Microsoft seized 338 websites tied to the service, which criminals used to host fake login pages and route stolen data.
According to Microsoft, RaccoonO365 sold phishing kits on Telegram that allowed even inexperienced actors to impersonate Microsoft communications and harvest usernames and passwords. Since July 2024, the kits have been linked to at least 5,000 stolen credentials across 94 countries. Because subscriptions can be reused, attackers could send thousands of phishing emails daily, scaling to hundreds of millions annually.
Microsoft said Ogundipe and associates divided responsibilities within the enterprise, from writing code to selling subscriptions and providing support to other criminals. Investigators traced them partly through an operational security lapse that revealed a cryptocurrency wallet. “A criminal referral for Ogundipe has been sent to international law enforcement,” the company stated.
The phishing service has been linked to attacks on sensitive sectors. A tax-themed campaign targeted more than 2,300 organizations, mostly in the U.S., while at least 20 healthcare providers were also hit. Microsoft and Health-ISAC, a nonprofit that tracks threats in the health sector, warned such attacks can lead to ransomware intrusions, delayed patient care, and data exposure.
The DCU said RaccoonO365 has grown rapidly, adding new features to bypass multi-factor authentication and even advertising an AI-powered tool, “AI-MailCheck,” to expand operations. Microsoft stressed that dismantling the network now was critical to stopping further harm.
