Full Report
The company acted on a court order and collaborated with Cloudflare to seize RaccoonO365’s infrastructure, which was used to steal credentials from organizations in 94 countries. The post Microsoft seizes hundreds of phishing sites tied to massive credential theft operation appeared first on CyberScoop.
Analysis Summary
# Incident Report: Takedown of RaccoonO365 Global Phishing Infrastructure
## Executive Summary
Microsoft disrupted a massive, financially motivated credential theft operation run by the threat group RaccoonO365 (tracked as Storm-2246). The group sold phishing kits enabling cybercriminals to steal Microsoft 365 credentials across 94 countries using sophisticated, brand-spoofing infrastructure. Microsoft, acting on a court order, seized 338 associated domains in collaboration with Cloudflare, successfully disrupting the primary mechanism used by this rapidly growing enterprise cybercrime.
## Incident Details
- **Discovery Date:** Ongoing investigation culminating in takedown around September 16, 2025.
- **Incident Date:** Operations active since at least July 2024.
- **Affected Organization:** Global organizations; over 2,300 U.S. organizations specifically targeted in a tax-themed campaign.
- **Sector:** Broad impact, including healthcare (at least 20 U.S. organizations targeted).
- **Geography:** Compromised organizations span 94 countries. Operators reportedly based in Nigeria.
## Timeline of Events
### Initial Access
- **Date/Time:** Ongoing since July 2024. Operation reached peak visibility prior to September 2025.
- **Vector:** Phishing campaigns delivered via email attachments, links, or QR codes.
- **Details:** Kits used Microsoft branding for fraudulent login pages to deceive end-users.
### Lateral Movement
* Not explicitly detailed as the primary focus was credential harvesting rather than traditional post-compromise internal network movement via these kits. The harvested credentials/session cookies were the immediate impact.
### Data Exfiltration/Impact
- **Details:** Over 5,000 Microsoft credentials stolen since July 2024. Attackers harvested the password *and* the resulting session cookie, effectively bypassing Multi-Factor Authentication (MFA). Phishing emails were often precursors to malware or ransomware deployment.
### Detection & Response
- **How it was discovered:** Microsoft's Digital Crimes Unit (DCU) conducted an investigation, including direct engagement with the threat actor to purchase phishing kits for intelligence gathering. Cryptocurrency tracing (with Chainalysis) identified the alleged operators.
- **Response actions taken:** Microsoft obtained a court order from the U.S. District Court for the Southern District of New York. Collaboration with Cloudflare resulted in the seizure and takedown of 338 associated domains. A criminal referral was sent to international law enforcement.
## Attack Methodology
- **Initial Access:** Provision of subscription-based phishing kits (sold to over 850 members on Telegram) which sent users to fake Microsoft O365 login pages.
- **Persistence:** N/A (Kits were the delivery mechanism, persistence relied on successful credential capture).
- **Privilege Escalation:** Bypassing MFA by capturing the post-login session cookie along with the password during the credential harvesting process.
- **Defense Evasion:** The codebase included functions for anti-analysis, security vendor evasion, and dynamic traffic routing.
- **Credential Access:** Harvesting of Microsoft 365 usernames, passwords, and session cookies.
- **Discovery:** N/A (Attackers sold the tools; recipient attackers performed their own reconnaissance).
- **Lateral Movement:** Stolen session cookies could potentially enable immediate unauthorized access, bypassing standard lateral movement stages.
- **Collection:** Gathering of valid Microsoft 365 credentials and session tokens.
- **Exfiltration:** Credentials/cookies harvested directly onto the attacker-controlled infrastructure.
- **Impact:** Financial fraud risk and authorization bypass potentially leading to subsequent malware/ransomware deployment.
## Impact Assessment
- **Financial:** Operators received at least $100,000 in cryptocurrency payments (estimated up to 200 subscriptions). Direct victim financial loss not quantified in summary.
- **Data Breach:** Over 5,000 Microsoft 365 credentials compromised. Potentially hundreds of millions of malicious emails sent.
- **Operational:** While phishing was a precursor to malware, immediate operational impact from the takedown centered on stopping the credential harvesting service itself.
- **Reputational:** Significant visibility gained by Microsoft DCU action, highlighting the proliferation of "phishing-as-a-service" models.
## Indicators of Compromise
- **Network indicators (Defanged):** Infrastructure associated with 338 recently seized phishing domains.
- **File indicators:** N/A (Tool/service focused, not specific malware file distribution detailed).
- **Behavioral indicators:** Redirection to fraudulent Microsoft O365 login pages via email links/attachments; session cookie capture bypassing MFA checks.
## Response Actions
- **Containment measures:** Seizure and takedown of 338 phishing domains used by RaccoonO365 infrastructure via court order. Disruption of the subscription service.
- **Eradication steps:** Attribution of the criminal enterprise to specific individuals (e.g., Ogundipe) and tracing cryptocurrency transactions to disrupt financial flows.
- **Recovery actions:** Ongoing engagement with international law enforcement to prosecute founders of the service.
## Lessons Learned
- The "fastest-growing tool" nature of the service indicates a troubling multiplication factor in accessible cybercrime tools.
- Cryptocurrency tracing (using Chainalysis) provided a viable pathway to attribute activities to specific real-world identities.
- The threat actor demonstrated advanced evasion tactics within their phishing kits (anti-analysis, user-agent filtering).
## Recommendations
- **Prevention measures for similar incidents:** Implement rigorous security monitoring for authentication anomalies, especially related to session cookie usage post-login attempts.
- **Policy:** Governments must work to align and harmonize international cybercrime laws to close legal loopholes actively exploited by transnational groups.
- **Defense:** Organizations must enhance user education regarding tax-themed phishing campaigns and ensure comprehensive MFA enrollment that resists cookie-based bypasses if possible.