- Microsoft and Cloudflare disrupt phishing service stealing Microsoft 365 credentials
- RaccoonO365 kits used CAPTCHA screens and faux Microsoft logins
- Income from the prison operation estimated to be a minimum of $100,000
Working collectively, Microsoft’s Digital Crimes Unit and Cloudflare say they’ve efficiently disrupted a phishing service that helped criminals steal hundreds of Microsoft 365 usernames and passwords.
Tracked by Microsoft as Storm-2246, RaccoonO365 bought subscription kits that mimicked official Microsoft messages and login pages.
From July 2024, these kits helped criminals steal a minimum of an estimated 5,000 units of credentials from victims throughout 94 nations.
Securing courtroom order
Microsoft recognized the group’s chief as Joshua Ogundipe, primarily based in Nigeria, and mentioned the service was marketed on Telegram with a whole bunch of subscribers.
Microsoft’s Digital Crimes Unit mentioned it seized 338 web sites utilized by the group after securing a courtroom order from the Southern District of New York.
“This case reveals that cybercriminals don’t should be subtle to trigger widespread hurt – easy instruments like RaccoonO365 make cybercrime accessible to nearly anybody, placing tens of millions of customers in danger,” the corporate warned.
Cloudflare mentioned its Cloudforce One and Belief and Security groups labored with Microsoft to dismantle the infrastructure that supported the service.
In keeping with Cloudflare, the phishing kits used a easy CAPTCHA display screen and anti-bot measures to seem legit, earlier than redirecting victims to pretend Microsoft login pages.
As soon as credentials have been entered, attackers may additionally bypass multi-factor authentication and steal session cookies.
The corporate disabled Employee accounts and positioned warning pages in entrance of malicious domains to chop off entry.
The phishing service operated on a tiered pricing mannequin, with subscriptions to the “RaccoonO365 Suite” priced at $355 for 30 days or $999 for 90 days, with funds solely accepted in cryptocurrency.
Microsoft mentioned the operation had already generated a minimum of $100,000 in income, though the true quantity is probably going greater.
Each corporations described the motion as a part of a broader effort to disrupt phishing-as-a-service platforms.
“Our response represents a strategic shift from reactive, single-domain takedowns to a proactive, large-scale disruption,” Cloudflare mentioned, including, “we purpose to considerably enhance RaccoonO365’s operational prices and ship a transparent message to different malicious actors: the free tier is simply too costly for prison enterprises.”
