{"id":4916,"date":"2025-09-17T12:48:13","date_gmt":"2025-09-17T12:48:13","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=4916"},"modified":"2025-09-17T12:48:13","modified_gmt":"2025-09-17T12:48:13","slug":"microsoft-and-cloudflare-execute-rugpull-on-massive-phishing-empire","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=4916","title":{"rendered":"Microsoft and Cloudflare execute \u2018rugpull\u2019 on massive phishing empire"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Microsoft and Cloudflare executed a coordinated \u201crugpull\u201d against one of the world\u2019s most sophisticated phishing operations, seizing 338 websites and dismantling infrastructure that generated potentially hundreds of millions of malicious emails targeting business users globally.<\/p>\n

The joint operation targeted RaccoonO365, which Microsoft tracks as Storm-2246, a Nigerian-led criminal enterprise that transformed credential theft into a subscription service, according to Microsoft\u2019s Digital Crimes Unit blog post<\/a>. The phishing-as-a-service platform allowed anyone to launch devastating attacks against Microsoft 365 users without requiring technical expertise.<\/p>\n

\u201cThis case shows that cybercriminals don\u2019t need to be sophisticated to cause widespread harm \u2014 simple tools like RaccoonO365 make cybercrime accessible to virtually anyone, putting millions of users at risk,\u201d Microsoft said in announcing the takedown operation.<\/p>\n

Criminal enterprise built for scale<\/h2>\n

RaccoonO365 operated with the sophistication of a legitimate technology company, complete with tiered pricing plans and customer support, Microsoft\u2019s investigation found.<\/p>\n

\u201cThese let anyone \u2014 even those with little technical skill \u2014 steal Microsoft\u00a0credentials\u00a0by mimicking official Microsoft communications,\u201d Microsoft added in the blog.<\/p>\n

The service boasted 845 subscribers on Telegram and collected at least $100,000 in cryptocurrency payments, with subscription plans ranging from $355 for 30 days to $999 for 90 days.<\/p>\n

Since July 2024, the platform facilitated the theft of at least 5,000 Microsoft credentials across 94 countries, Microsoft reported. Each subscription allowed criminals to target up to 9,000 email addresses daily, creating a multiplication effect that investigators estimate generated hundreds of millions of malicious messages annually. Most dangerously, Microsoft found that the service could bypass multi-factor authentication protections to steal user credentials and gain persistent access to victims\u2019 systems.<\/p>\n

Healthcare systems proved particularly vulnerable, with documented attacks against at least 20 US healthcare organizations, according to Microsoft. The targeting was strategic, as these attacks often served as entry points for ransomware deployment that can shut down hospital systems and endanger patient lives.<\/p>\n

The threat was significant enough that Health-ISAC, a healthcare cybersecurity nonprofit, joined Microsoft as a plaintiff in the legal action, the blog added.<\/p>\n

The operation also demonstrated its scale through a tax-themed phishing campaign that targeted more than 2,300 US organizations earlier this year, Microsoft reported.<\/p>\n

Legal victory with limitations<\/h2>\n

Microsoft\u2019s investigation identified Joshua Ogundipe, based in Nigeria, as the operation\u2019s leader and primary architect. The company filed a lawsuit<\/a> against Ogundipe and four associates listed as John Does in late August, then obtained a court order from the US District Court for the Southern District of New York in early September to seize the 338 websites associated with RaccoonO365.<\/p>\n

\u201cBased on Microsoft\u2019s analysis, Ogundipe has a background in computer programming and is believed to have authored the majority of the code,\u201d Microsoft stated.<\/p>\n

However, the legal victory might face practical limitations. While the court granted a restraining order against Ogundipe and his associates, the defendants remain free since the order carries little weight outside the US jurisdiction. Microsoft has submitted a criminal referral for Ogundipe to international law enforcement, but prosecution remains challenging due to jurisdictional gaps.<\/p>\n

Technical sophistication and takedown<\/h2>\n

Microsoft\u2019s analysis showed that RaccoonO365 employed advanced evasion techniques and recently began advertising an AI-powered service called \u201cRaccoonO365 AI-MailCheck\u201d designed to scale operations and increase attack effectiveness. The criminals used sophisticated methods to circumvent security measures and avoid detection by researchers and automated systems.<\/p>\n

The coordinated disruption began September 2, 2025, with Microsoft pursuing its legal strategy while Cloudflare executed what it called a strategic \u201crugpull.\u201d Cloudflare\u2019s analysis<\/a> showed the criminals had strategically deployed Cloudflare Workers as an intermediary layer to shield their backend phishing servers.<\/p>\n

\u201cThe actor\u2019s ultimate goal was to provide subscribers with stolen credentials, cookies, and data from victim accounts (including OneDrive, SharePoint, and email), which could then enable financial fraud, extortion, or serve as initial access for larger attacks,\u201d Cloudflare said in its analysis.<\/p>\n

Cloudflare systematically dismantled RaccoonO365\u2019s infrastructure over three days, terminating dozens of Worker accounts and placing \u201cphish warning\u201d pages in front of all identified domains. Facing infrastructure collapse, the criminals posted desperately on Telegram on September 5, attempting to reframe the disruption as a planned \u201crebirth.\u201d<\/p>\n

The takedown was declared complete on September 8, Cloudflare added in the report.<\/p>\n

Industrialized cybercrime challenge<\/h2>\n

The RaccoonO365 case exemplifies what Microsoft calls \u201ca troubling new phase of cybercrime where scams and threats are likely to multiply exponentially.\u201d Microsoft noted that the rapid development, marketing, and accessibility of services like RaccoonO365 indicate that cybercrime is becoming industrialized, with subscription models making advanced attacks accessible regardless of technical skill.<\/p>\n

The successful takedown required Microsoft to integrate new tools into its investigations.<\/p>\n

\u201cFor instance, we are integrating blockchain analysis tools like Chainalysis Reactor into our investigations,\u201d Steven Masada, assistant general counsel at \u00a0Microsoft\u2019s Digital Crimes Unit, said in the blog. \u201cThese help us trace criminals\u2019 cryptocurrency transactions, linking online activity to real identities for stronger evidence.\u201d<\/p>\n

However, Microsoft acknowledged that significant challenges remain.<\/p>\n

\u201cToday\u2019s patchwork of international laws remains a major obstacle, and cybercriminals exploit these gaps,\u201d the company stated. \u201cGovernments must work together to align their cybercrime laws, speed up cross-border prosecutions, and close the loopholes that let criminals operate with impunity,\u201d Microsoft warned, saying that filing the lawsuit was just the beginning, as the company expects the actors to try rebuilding their operations.<\/p>\n

More Microsoft security news:<\/p>\n

Microsoft under fire: Senator demands FTC investigation into \u2018arsonist selling firefighting services\u2019<\/a><\/p>\n

Microsoft fixes the fixes that broke Windows tools<\/a><\/p>\n

Microsoft hints at revoking access to the Windows kernel \u2014 eventually
<\/a><\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Microsoft and Cloudflare executed a coordinated \u201crugpull\u201d against one of the world\u2019s most sophisticated phishing operations, seizing 338 websites and dismantling infrastructure that generated potentially hundreds of millions of malicious emails targeting business users globally. The joint operation targeted RaccoonO365, which Microsoft tracks as Storm-2246, a Nigerian-led criminal enterprise that transformed credential theft into a […]<\/p>\n","protected":false},"author":0,"featured_media":4907,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-4916","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/4916"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4916"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/4916\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/4907"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4916"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4916"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4916"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}