Full Report
Microsoft found that the group behind RaccoonO365 has been paid at least $100,000 in cryptocurrency from about 100 subscriptions. This is likely only a portion of the money earned from the tool, according to Microsoft.
Analysis Summary
# Threat Actor: RaccoonO365 Operators
## Attribution & Identity
The leading force behind the RaccoonO365 operation is identified as Nigerian national **Joshua Ogundipe**, who allegedly wrote most of the code. The operation is run by Ogundipe and associates who have specialized roles in development, sales, and customer support. The group markets and sells the tool on Telegram (with about 850 members as of the article date). There is unconfirmed evidence (Russian letters in the Telegram group name) suggesting potential collaboration with Russian-speaking cybercriminals, though Microsoft did not confirm this.
## Activity Summary
The operators ran **RaccoonO365**, a subscription-based credential stealing tool primarily focused on Microsoft O365 environments. This service allowed subscribers to create highly convincing phishing campaigns using Microsoft branding. Microsoft seized 338 associated websites in a coordinated takedown. The activities were ongoing for nearly one year, escalating in scale and sophistication, including the recent rollout of an AI-backed service to further scale campaigns.
## Tactics, Techniques & Procedures
- **Phishing Kit as a Service (PaaS):** Offered RaccoonO365 kits for a monthly subscription fee (approx. $365/month).
- **Credential Harvesting via Phishing:** Directed victims to fake Microsoft O365 login pages after initial bait (e.g., CAPTCHA entry).
- **MFA Circumvention:** The tool was designed with techniques to specifically bypass or steal credentials protected by Multi-Factor Authentication (MFA).
- **Social Engineering:** Used emails with malicious attachments or QR codes. File names were tailored to entice victims (e.g., HR/Finance documents, contracts, invoices), sometimes including the victim’s name.
- **Infrastructure Abuse:** Abused Cloudflare services and other infrastructure providers to mask phishing kits and evade detection.
- **Obfuscation:** Registered domains using fictitious names and physical addresses to mask the criminal enterprise.
- **Automation/Scaling:** Recently integrated an **AI-backed service** to automate and scale phishing campaigns.
## Targeting
- **Sectors:** Not explicitly limited, but highly focused on organizations whose users utilize Microsoft 365 due to the nature of the credential theft. Spoofing targeted brands like Adobe, Maersk, and DocuSign suggests corporate targeting.
- **Geography:** Global scope, having stolen credentials in **94 countries**. Victims span "all over the world."
- **Victims:** Targeted approximately **9,000 email addresses daily**. Stole at least 5,000 Microsoft credentials.
## Tools & Infrastructure
- **Malware families used:** RaccoonO365 (Phishing Kit)
- **Infrastructure (C2, domains, IPs):**
- Took down **338 associated websites** (per Microsoft order).
- Utilized domains registered under fictitious details.
- Abused services from Cloudflare and other infrastructure providers for hosting/delivery.
- Financial tracking linked via a discovered secret cryptocurrency wallet.
## Implications
RaccoonO365 represents a significant shift toward **Phishing-as-a-Service**, democratizing sophisticated credential theft attacks (including MFA bypass) for lower-skilled cybercriminals. The integration of AI suggests an exponential increase in the volume and quality of phishing attacks targeting global M365 users, significantly increasing BEC and initial access risk globally. The operation shows high organization, strong customer support, and a focus on evasion.
## Mitigations
- **Enhanced M365 Security:** Strict enforcement and review of MFA policies, focusing on phishing-resistant MFA methods, given the tool specialized in bypassing standard MFA.
- **Email Filtering:** Deploy advanced filtering to detect and block emails using brand impersonation (Microsoft, Adobe, etc.) delivered via suspicious domains.
- **User Education:** Increased training specifically targeting social engineering vectors involving documents disguised as HR/Finance materials or unexpected links/QR codes leading to login prompts.
- **Infrastructure Monitoring:** Organizations utilizing Cloudflare or similar services should maintain configurations that prevent abuse by known threat signatures.