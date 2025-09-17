Microsoft’s Digital Crimes Unit (DCU) said it has disrupted RaccoonO365, a subscription-based phishing service blamed for stealing thousands of Microsoft 365 credentials.

The company said it identified a Nigeria-based individual, Joshua Ogundipe, as the leader of the operation.

Using a U.S. court order from the Southern District of New York, the DCU seized 338 websites linked to the service, cutting off the infrastructure criminals used to host fake Microsoft login pages and route stolen data.

According to Microsoft, RaccoonO365 sold easy-to-use phishing kits on Telegram that let even low-skilled criminals impersonate Microsoft communications and harvest usernames and passwords.

Since July 2024, the kits have been used to steal at least 5,000 Microsoft credentials across 94 countries, the company said. Because subscriptions are reusable, a single subscription can send thousands of phishing emails daily, scaling to hundreds of millions of malicious emails per year.

Ogundipe’s role

Microsoft said its investigation identified Ogundipe and associates as playing specialized roles in the enterprise: developing the code, selling subscriptions, and providing customer support to other cybercriminals.

“To mask their criminal enterprise and evade detection, they registered Internet domains using fictitious names and physical addresses that are purportedly located in multiple cities and countries.

“Based on Microsoft’s analysis, Ogundipe has a background in computer programming and is believed to have authored the majority of the code,” Microsoft stated.

It further disclosed that an operational security lapse by the threat actors, in which they inadvertently revealed a secret cryptocurrency wallet, helped the DCU’s attribution and understanding of their operations.

“A criminal referral for Ogundipe has been sent to international law enforcement,” Microsoft added.

Healthcare and public-safety risks

Microsoft highlighted that RaccoonO365 was not just stealing credentials for fraud; its phishing kits were used in campaigns that targeted critical sectors.

The DCU found a tax-themed campaign that hit more than 2,300 organisations (mostly in the U.S.), and said the kits have been used against at least 20 U.S. healthcare organisations.

Microsoft and partner Health-ISAC say such campaigns can precede malware and ransomware intrusions that disrupt patient care, delay services, and expose sensitive health data.

According to Microsoft, these severe consequences are a key reason why the DCU is filing this lawsuit in partnership with Health-ISAC—a global non-profit focused on cybersecurity and threat intelligence for the health sector.

More insights

Microsoft revealed that in just over a year, RaccoonO365 has swiftly evolved, rolling out regular upgrades to meet rising demand.

This rapid growth underscores why taking legal action now is crucial to stopping RaccoonO365’s activities.

Using RaccoonO365’s services, customers can input up to 9,000 target email addresses per day and employ sophisticated techniques to circumvent multi-factor authentication protections to steal user credentials and gain persistent access to victims’ systems.

Most recently, the group started advertising a new AI-powered service, RaccoonO365 AI-MailCheck, designed to scale operations and increase the sophistication—and effectiveness—of attacks.

Meanwhile, a recent report by Check Point Research, had revealed that Microsoft was the most impersonated brand, appearing in 25% of all phishing attempts globally between April and June 2025, a record aggravated by networks like Raccoon0365.