Microsoft and Cloudflare executed a coordinated “rugpull” against one of the world’s most sophisticated phishing operations, seizing 338 websites and dismantling infrastructure that generated potentially hundreds of millions of malicious emails targeting business users globally.
The joint operation targeted RaccoonO365, which Microsoft tracks as Storm-2246, a Nigerian-led criminal enterprise that transformed credential theft into a subscription service, according to Microsoft’s Digital Crimes Unit blog post. The phishing-as-a-service platform allowed anyone to launch devastating attacks against Microsoft 365 users without requiring technical expertise.
“This case shows that cybercriminals don’t need to be sophisticated to cause widespread harm — simple tools like RaccoonO365 make cybercrime accessible to virtually anyone, putting millions of users at risk,” Microsoft said in announcing the takedown operation.
Criminal enterprise built for scale
RaccoonO365 operated with the sophistication of a legitimate technology company, complete with tiered pricing plans and customer support, Microsoft’s investigation found.
“These let anyone — even those with little technical skill — steal Microsoft credentials by mimicking official Microsoft communications,” Microsoft added in the blog.
The service boasted 845 subscribers on Telegram and collected at least $100,000 in cryptocurrency payments, with subscription plans ranging from $355 for 30 days to $999 for 90 days.
Since July 2024, the platform facilitated the theft of at least 5,000 Microsoft credentials across 94 countries, Microsoft reported. Each subscription allowed criminals to target up to 9,000 email addresses daily, creating a multiplication effect that investigators estimate generated hundreds of millions of malicious messages annually. Most dangerously, Microsoft found that the service could bypass multi-factor authentication protections to steal user credentials and gain persistent access to victims’ systems.
Healthcare systems proved particularly vulnerable, with documented attacks against at least 20 US healthcare organizations, according to Microsoft. The targeting was strategic, as these attacks often served as entry points for ransomware deployment that can shut down hospital systems and endanger patient lives.
The threat was significant enough that Health-ISAC, a healthcare cybersecurity nonprofit, joined Microsoft as a plaintiff in the legal action, the blog added.
The operation also demonstrated its scale through a tax-themed phishing campaign that targeted more than 2,300 US organizations earlier this year, Microsoft reported.
Legal victory with limitations
Microsoft’s investigation identified Joshua Ogundipe, based in Nigeria, as the operation’s leader and primary architect. The company filed a lawsuit against Ogundipe and four associates listed as John Does in late August, then obtained a court order from the US District Court for the Southern District of New York in early September to seize the 338 websites associated with RaccoonO365.
“Based on Microsoft’s analysis, Ogundipe has a background in computer programming and is believed to have authored the majority of the code,” Microsoft stated.
However, the legal victory might face practical limitations. While the court granted a restraining order against Ogundipe and his associates, the defendants remain free since the order carries little weight outside the US jurisdiction. Microsoft has submitted a criminal referral for Ogundipe to international law enforcement, but prosecution remains challenging due to jurisdictional gaps.
Technical sophistication and takedown
Microsoft’s analysis showed that RaccoonO365 employed advanced evasion techniques and recently began advertising an AI-powered service called “RaccoonO365 AI-MailCheck” designed to scale operations and increase attack effectiveness. The criminals used sophisticated methods to circumvent security measures and avoid detection by researchers and automated systems.
The coordinated disruption began September 2, 2025, with Microsoft pursuing its legal strategy while Cloudflare executed what it called a strategic “rugpull.” Cloudflare’s analysis showed the criminals had strategically deployed Cloudflare Workers as an intermediary layer to shield their backend phishing servers.
“The actor’s ultimate goal was to provide subscribers with stolen credentials, cookies, and data from victim accounts (including OneDrive, SharePoint, and email), which could then enable financial fraud, extortion, or serve as initial access for larger attacks,” Cloudflare said in its analysis.
Cloudflare systematically dismantled RaccoonO365’s infrastructure over three days, terminating dozens of Worker accounts and placing “phish warning” pages in front of all identified domains. Facing infrastructure collapse, the criminals posted desperately on Telegram on September 5, attempting to reframe the disruption as a planned “rebirth.”
The takedown was declared complete on September 8, Cloudflare added in the report.
Industrialized cybercrime challenge
The RaccoonO365 case exemplifies what Microsoft calls “a troubling new phase of cybercrime where scams and threats are likely to multiply exponentially.” Microsoft noted that the rapid development, marketing, and accessibility of services like RaccoonO365 indicate that cybercrime is becoming industrialized, with subscription models making advanced attacks accessible regardless of technical skill.
The successful takedown required Microsoft to integrate new tools into its investigations.
“For instance, we are integrating blockchain analysis tools like Chainalysis Reactor into our investigations,” Steven Masada, assistant general counsel at Microsoft’s Digital Crimes Unit, said in the blog. “These help us trace criminals’ cryptocurrency transactions, linking online activity to real identities for stronger evidence.”
However, Microsoft acknowledged that significant challenges remain.
“Today’s patchwork of international laws remains a major obstacle, and cybercriminals exploit these gaps,” the company stated. “Governments must work together to align their cybercrime laws, speed up cross-border prosecutions, and close the loopholes that let criminals operate with impunity,” Microsoft warned, saying that filing the lawsuit was just the beginning, as the company expects the actors to try rebuilding their operations.
No Responses