Microsoft and Cloudflare just took down a major phishing operation

Phishing email attack concept image showing letter symbols being held by dark colored hands.

(Image credit: Getty Images)

published 18 September 2025

Microsoft has announced a significant takedown of RaccoonO365, a popular tool used by hackers to seize Microsoft 365 credentials via phishing.

The tech giant’s Digital Crimes Unit (DCU) seized 338 domains linked to RaccoonO365, which form the backbone of its phishing as a service (PhaaS) offering used in thousands of attacks worldwide.

Cloudflare partnered with Microsoft for the takedown, tracking user signups to map out the threat group’s infrastructure and disabling all of its domains.

The full takedown began on 2 September, with Cloudflare acting in coordination with Microsoft’s seizure of 338 websites associated with the group as authorized in a court order by the Southern District of New York.

“Cloudflare’s response represents a strategic shift from reactive, single-domain takedowns to a proactive, large-scale disruption aimed at dismantling the actor's operational infrastructure on our platform,” the firm wrote.

“By taking coordinated action in early September 2025, we aim to significantly increase RaccoonO365’s operational costs and send a clear message to other malicious actors: the free tier is too expensive for criminal enterprises.”

RacconO365’s rise and fall

Microsoft designates RaccoonO365 as ‘Storm-2246’, indicating a group under development. It noted that the group has rapidly risen to prominence since June 2024, with its tools directly linked to the theft of at least 5,000 Microsoft credentials, across 94 countries.

In April, Microsoft Threat Intelligence warned of phishing attacks disguised as enterprise and tax documents, launched against 2,300 US organizations via RaccoonO365.

As part of the operation, Microsoft’s DCU also identified the group’s leader as Joshua Ogundipe, based out of Nigeria, following the trail of a cryptocurrency wallet the tool’s operators accidentally exposed.

Steven Masada, assistant general counsel at Microsoft’s DCU, noted that Ogundipe and his fellow group members have made at least $100,000 selling their services on Telegram, with‘RaccoonO365 Suite’ $355 subscriptions for 30 days’ access, or $999 for 90 days.

RacoonO365 is believed to have 100-200 active subscribers paying in cryptocurrency. Microsoft noted this is enough for hundreds of millions of phishing emails sent per year – and is most likely an underestimate of the full customer figures.

In a screenshot of the Telegram group shared by Cloudflare, the group advertised how it manages “all tech updates & backend” and offers a “100% clean codebase – no backdoors, no tracking”.

The tool was centrally managed, with the operators able to roll out new evasion methods or attack campaign strategies without needing to roll out new kits by simply altering a small amount of code.

Ogundipe is believed by Microsoft to have written the majority of RaccoonO365’s code, which Cloudflare researchers noted includes protections against connections from 17 major security vendors including Microsoft Defender and Proofpoint, reverse proxying to disguise its phishing servers as having legitimate Cloudflare IP addresses.

Since December 2024, RaccoonO365 had been deploying Cloudflare Worker clusters to obscure its attack infrastructure, expanding its features and growing in sophistication with each deployment.

By August 2025, the tool was capable of real-time data exfiltration and the group had begun to advertise an AI-powered tool ‘RaccoonO365 AI-MailCheck’.

Cloudflare had been mitigating individual RaccoonO365 domains based on complaints for some time but partnered with Microsoft after it launched its legal efforts to achieve a broader victory against the group.

It has now banned all Workers scripts linked to the group, suspended associated user accounts, and placed phishing warnings on banned domains.

“It’s positive that Microsoft DCU has worked to proactively take down this site, which was clearly putting internet users across the world at serious risk,” said Simon Phillips, CTO of engineering at CybaVerse.

“Users of RaccoonO365 were offered a ready-made package to send out thousands of phishing emails every day, in a bid to steal Microsoft credentials, with minimal effort.”

“With everything being ready-made, this lowered the barrier to entry for phishing scammers, offering them a tried and tested package, that would yield results quickly. This would have made the phishing emails far more convincing, with artwork, language and spelling all accurate.”

Phillips added that stolen credentials are especially effective against victims who reuse passwords across accounts. He cautioned that attackers cut off from PhaaS tools could still turn to the dark web to purchase email addresses for AI-powered phishing campaigns of their own.

Microsoft stated that RaccoonO365’s operators will likely attempt to rebuild infrastructure but that it will continue to take legal action to prevent attackers from resuming their operations.

Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.

MORE FROM ITPRO

Rory Bathgate is Features and Multimedia Editor at ITPro, overseeing all in-depth content and case studies. He can also be found co-hosting the ITPro Podcast with Jane McCallion, swapping a keyboard for a microphone to discuss the latest learnings with thought leaders from across the tech sector.

In his free time, Rory enjoys photography, video editing, and good science fiction. After graduating from the University of Kent with a BA in English and American Literature, Rory undertook an MA in Eighteenth-Century Studies at King’s College London. He joined ITPro in 2022 as a graduate, following four years in student journalism. You can contact Rory at rory.bathgate@futurenet.com or on LinkedIn.