352/68 Friday, September 19, 2025
Microsoft and Cloudflare announced the successful takedown of the RaccoonO365 Phishing-as-a-Service (PhaaS) platform, which had been used to steal thousands of Microsoft 365 accounts. Microsoft tracked this threat under the name Storm-2246. According to Microsoft, its Digital Crimes Unit (DCU) filed a legal complaint with the Southern District of New York, enabling the seizure of 338 phishing websites used to harvest Microsoft 365 credentials, effectively cutting off a major channel exploited by cybercriminals. Meanwhile, Cloudflare blocked more than 200 domains and Worker Accounts in early September 2025, in coordination with Microsoft’s civil lawsuit that began in August.
The RaccoonO365 platform offered subscriptions ranging from $355 to $999, with around 100–200 subscribers, generating over $100,000 in cryptocurrency revenue. Each subscriber was able to send thousands of phishing emails daily, amounting to hundreds of millions of emails annually. The service was used in large-scale tax fraud phishing campaigns targeting over 2,300 U.S. organizations, including more than 20 healthcare providers, putting patient records and medical test data at risk, and potentially causing treatment delays.
Additionally, Microsoft identified Joshua Ogundipe, a Nigerian national, as the leader of the RaccoonO365 network. Ogundipe allegedly played a key role in coding, sales, and customer support for the platform. The operation relied on fake domains to evade detection but was eventually uncovered following a crypto wallet leak. The case has now been referred to law enforcement agencies for further action.
