- Microsoft and Cloudflare disrupt phishing service stealing Microsoft 365 credentials
- RaccoonO365 kits used CAPTCHA screens and pretend Microsoft logins
- Income from the prison operation estimated to be at the least $100,000
Working collectively, Microsoft’s Digital Crimes Unit and Cloudflare say they’ve efficiently disrupted a phishing service that helped criminals steal hundreds of Microsoft 365 usernames and passwords.
Tracked by Microsoft as Storm-2246, RaccoonO365 offered subscription kits that mimicked official Microsoft messages and login pages.
From July 2024, these kits helped criminals steal at the least an estimated 5,000 units of credentials from victims throughout 94 international locations.
Securing court docket order
Microsoft recognized the group’s chief as Joshua Ogundipe, based mostly in Nigeria, and mentioned the service was marketed on Telegram with a whole bunch of subscribers.
Microsoft’s Digital Crimes Unit mentioned it seized 338 web sites utilized by the group after securing a court docket order from the Southern District of New York.
“This case exhibits that cybercriminals don’t must be refined to trigger widespread hurt – easy instruments like RaccoonO365 make cybercrime accessible to nearly anybody, placing thousands and thousands of customers in danger,” the corporate warned.
Cloudflare mentioned its Cloudforce One and Belief and Security groups labored with Microsoft to dismantle the infrastructure that supported the service.
In keeping with Cloudflare, the phishing kits used a easy CAPTCHA display and anti-bot measures to seem professional, earlier than redirecting victims to pretend Microsoft login pages.
As soon as credentials had been entered, attackers may additionally bypass multi-factor authentication and steal session cookies.
The corporate disabled Employee accounts and positioned warning pages in entrance of malicious domains to chop off entry.
The phishing service operated on a tiered pricing mannequin, with subscriptions to the “RaccoonO365 Suite” priced at $355 for 30 days or $999 for 90 days, with funds solely accepted in cryptocurrency.
Microsoft mentioned the operation had already generated at the least $100,000 in income, though the true quantity is probably going larger.
Each corporations described the motion as a part of a broader effort to disrupt phishing-as-a-service platforms.
“Our response represents a strategic shift from reactive, single-domain takedowns to a proactive, large-scale disruption,” Cloudflare mentioned, including, “we goal to considerably enhance RaccoonO365’s operational prices and ship a transparent message to different malicious actors: the free tier is just too costly for prison enterprises.”
