RaccoonO365: Microsoft & Cloudflare Take Down Major Phishing-as-a-Service Network in 2024
Executive Summary
In July 2024, Microsoft, in collaboration with Cloudflare and law enforcement, disrupted the RaccoonO365 Phishing-as-a-Service (PhaaS) operation, which enabled cybercriminals to launch large-scale phishing campaigns mimicking Microsoft 365 and other trusted brands. The service, run by Storm-2246 and attributed to Joshua Ogundipe, offered subscription-based kits that automated credential-theft campaigns targeting over 2,300 US organizations and at least 20 healthcare entities. The takedown involved seizing 338 domains, mapping the attack infrastructure, and revealing financial flows in cryptocurrency, shutting down an operation responsible for stealing at least 5,000 sets of credentials from 94 countries.
This incident underscores the industrialization of phishing through subscription-based platforms and highlights how low-skill attackers are being enabled at scale. As phishing-as-a-service proliferates and leverages brand impersonation, organizations face escalating risks of credential theft and downstream ransomware or malware attacks.
Why This Matters Now
The RaccoonO365 case highlights the rapid evolution and accessibility of Phishing-as-a-Service, which significantly lowers the barrier for launching sophisticated credential theft campaigns. With attackers exploiting well-known brands and targeting critical sectors such as healthcare, the urgency for robust, adaptive security defenses and visibility across digital channels has never been higher.
Attack Path Analysis
Attackers launched large-scale phishing emails impersonating Microsoft and other brands to lure victims into revealing credentials (Initial Compromise). With stolen credentials, they accessed targeted Microsoft 365 environments and potentially elevated privileges (Privilege Escalation). With access, adversaries may have pivoted to other internal systems or cloud workloads using the compromised accounts (Lateral Movement). Attacker infrastructure maintained ongoing communication for monitoring and data harvesting (Command & Control). Stolen data—including account credentials and sensitive documents—was then exfiltrated to attacker-controlled infrastructure (Exfiltration). The impact included data compromise, potential malware deployment, and risk to organizational reputation and patient safety (Impact).
Kill Chain Progression
Initial Compromise
Description
Attackers delivered highly convincing phishing emails impersonating trusted organizations, leading recipients to credential harvesting sites hosted on attacker infrastructure.
MITRE ATT&CK® Techniques
Phishing: Spearphishing Attachment
Phishing: Spearphishing Link
Phishing
Valid Accounts
Email Collection
Compromise Infrastructure: Domain Registration
Develop Capabilities: Malware
Modify Authentication Process: Web Portal Capture
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Multi-factor Authentication (MFA) for All Access to the CDE
Control ID: 8.3.1
NYDFS 23 NYCRR 500 – Cybersecurity Program & Monitoring of Authorized Users
Control ID: 500.03, 500.14
DORA (EU) Regulation (EU) 2022/2554 – ICT Risk Management & Incident Detection
Control ID: Article 9, Article 10
CISA Zero Trust Maturity Model 2.0 – Phishing-resistant Authentication & Identity Controls
Control ID: Identity Pillar – Protect
NIS2 Directive – Risk Management and Security Measures
Control ID: Article 21
HIPAA Security Rule – Security Awareness and Training: Protection from Malicious Software
Control ID: 164.308(a)(5)(ii)(B)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Health Care / Life Sciences
Twenty healthcare organizations targeted by RaccoonO365 phishing kits pose critical patient safety risks, enabling ransomware precursors that compromise HIPAA compliance and medical operations.
Financial Services
Microsoft 365 credential theft via RaccoonO365 threatens financial institutions' zero trust architectures, exposing customer data and violating PCI compliance through east-west lateral movement.
Government Administration
Tax-themed phishing campaigns targeting 2,300 US organizations exploit government branding, compromising citizen data and enabling advanced persistent threats against public sector infrastructure.
Information Technology/IT
IT sectors face dual exposure as RaccoonO365 targets and leverages Microsoft Azure infrastructure, requiring enhanced egress security and threat detection capabilities for protection.
Sources
- Microsoft Disrupts 'RaccoonO365' Phishing Servicehttps://www.darkreading.com/application-security/microsoft-disrupts-raccoono365-phishing-serviceVerified
- Microsoft seizes 338 websites to disrupt rapidly growing ‘RaccoonO365’ phishing servicehttps://blogs.microsoft.com/on-the-issues/2025/09/16/microsoft-seizes-338-websites-to-disrupt-rapidly-growing-raccoono365-phishing-service/Verified
- Microsoft, Cloudflare shut down RaccoonO365 phishing domainshttps://www.theregister.com/2025/09/16/microsoft_cloudflare_shut_down_raccoono365/Verified
- Microsoft Seizes Sites Used by Popular Phishing Operation to Attack Healthcare Orgshttps://www.hipaajournal.com/microsoft-takedown-racoon0365-phishing-infrastructure/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust network segmentation, egress filtering, real-time anomaly detection, visibility across clouds, and policy automation provided by CNSF controls would have sharply reduced the attacker’s ability to deliver, laterally propagate, and exfiltrate data during each stage of the kill chain.
Control: Egress Security & Policy Enforcement
Mitigation: Outbound traffic to known and newly registered malicious domains would be blocked.
Control: Zero Trust Segmentation
Mitigation: Access to sensitive workloads and privileged actions is restricted based on identity and least privilege.
Control: East-West Traffic Security
Mitigation: Unauthorized lateral movement between workloads, regions, and services is detected and blocked.
Control: Inline IPS (Suricata)
Mitigation: Suspicious or malicious command-and-control traffic is identified and prevented at the network edge.
Control: Egress Security & Policy Enforcement
Mitigation: Outbound data flows to suspicious destinations are blocked and alerted on.
Early detection of abnormal user and network activity mitigates business and operational impact.
Impact at a Glance
Affected Business Functions
- Email Communications
- Document Management
- Collaboration Platforms
Estimated downtime: 7 days
Estimated loss: $5,000,000
The RaccoonO365 phishing service led to the theft of over 5,000 Microsoft 365 credentials across 94 countries. This resulted in unauthorized access to sensitive emails, documents, and internal communications. Notably, at least 20 U.S. healthcare organizations were targeted, potentially exposing patient records and critical medical information. The compromised credentials could facilitate further attacks, including malware distribution and ransomware deployment, leading to significant operational disruptions and financial losses.
Recommended Actions
Key Takeaways & Next Steps
- • Enforce least-privilege, identity-based segmentation to limit attacker access after credential compromise.
- • Implement centralized and granular egress filtering to block access to phishing and malicious domains from all workloads.
- • Continuously baseline and monitor for anomalous east-west and outbound network activity across multicloud environments.
- • Deploy inline intrusion prevention and distributed policy enforcement for early threat detection and containment.
- • Automate security compliance and visibility across all cloud and hybrid networks to ensure rapid detection and mitigation of new attack techniques.
