Full Report
Microsoft and Cloudflare have disrupted a massive Phishing-as-a-Service (PhaaS) operation, known as RaccoonO365, that helped cybercriminals steal thousands of Microsoft 365 credentials. [...]
Analysis Summary
# Tool/Technique: RaccoonO365 Phishing-as-a-Service (PhaaS)
## Overview
RaccoonO365 is a massive Phishing-as-a-Service (PhaaS) operation that provided cybercriminals with toolkits designed to steal Microsoft 365 credentials. The service used malicious websites, often bundled with CAPTCHA pages and anti-bot techniques, intending to appear legitimate and evade analysis. The stolen credentials, cookies, and data were subsequently used for financial fraud, extortion, or as initial access vectors.
## Technical Details
- Type: Attack Tool/Service (Phishing-as-a-Service)
- Platform: Targeting Microsoft 365 users (Implied: Web/Cloud service-focused)
- Capabilities: Provisioning phishing kits, integrating CAPTCHA pages, incorporating anti-bot measures, subscription-based access for threat actors.
- First Seen: Operation active since at least July 2024. Disruption occurred in early September 2025.
## MITRE ATT&CK Mapping
RaccoonO365 is primarily focused on credential harvesting and initial access, mapping broadly to:
- **TA0001 - Initial Access**
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (While this is likely web-based, the initial delivery mechanism is phishing)
- T1566.002 - Spearphishing Link (Most relevant for web redirection)
## Functionality
### Core Capabilities
- Providing subscription-based phishing kits to subscribers via a private Telegram channel.
- Hosting phishing infrastructure across seized websites (338 disrupted).
- Targeting Microsoft 365 email, OneDrive, and SharePoint accounts.
### Advanced Features
- **Evasion Techniques:** Bundling CAPTCHA pages and anti-bot mechanisms within the phishing kits to thwart automated analysis systems.
- **Monetization:** Operated on a subscription model using cryptocurrency (USDT or Bitcoin) payments.
## Indicators of Compromise
*Note: As this summary details the disruption of the service itself, specific IOCs listed here reflect the infrastructure seized.*
- File Hashes: [Not explicitly mentioned in the context]
- File Names: [Not explicitly mentioned in the context]
- Registry Keys: [Not explicitly mentioned in the context]
- Network Indicators: 338 websites and Worker accounts seized. (No specific C2 domains provided, as they were seized.)
- Behavioral Indicators: Use of phishing sites impersonating Microsoft login pages, often associated with tax-themed campaigns (e.g., targeting 2,300+ organizations in the US).
## Associated Threat Actors
- Primary Operator/Author: Joshua Ogundipe (Attributed by Microsoft DCU)
- Associated Group: Storm-2246 (Microsoft tracking designation)
- Collaborators: Believed to collaborate with Russian-speaking cybercriminals (inferred from Telegram bot naming conventions).
## Detection Methods
- Signature-based detection: Not detailed, but standard URL/domain blacklisting would apply to seized infrastructure.
- Behavioral detection: Detection of users interacting with known malicious phishing links or pages exhibiting CAPTCHA/anti-bot evasion tactics attempting to capture credentials.
- YARA rules: [Not available in the context]
## Mitigation Strategies
- User Education: Training users to recognize sophisticated phishing attempts, especially those incorporating CAPTCHAs or unusual login flows for Microsoft 365.
- Multi-Factor Authentication (MFA): Implementing strong MFA on all Microsoft 365 accounts significantly mitigates the risk of stolen credentials.
- Network Monitoring: Monitoring for connections to newly registered domains attempting to proxy or redirect traffic for credential harvesting.
## Related Tools/Techniques
- Lumma (Mentioned as a separate, previously disrupted malware-as-a-service information stealer).
- General Phishing-as-a-Service (PhaaS) platforms.