Microsoft’s Digital Crimes Unit said it has worked with CloudFlare to coordinate the seizures of the 338 domains it uses. RACCOONO365A financially motivated threat group that was behind the Phishing as a Service (PHAAS) toolkit, which has been used since July 2024 to steal more than 5,000 Microsoft 365 qualifications from 94 countries.
“Using a court order granted by the Southern District of New York, the DCU seized 338 websites related to popular services, disrupted the technological infrastructure of its business and blocked access to criminal victims.”
“This case shows that cybercriminals don’t need to be refined to cause widespread harm. A simple tool like RACCOONO365 makes cybercrime accessible to virtually anyone, putting millions of users at risk.”
The initial stages of CloudFlare Takedown began on September 2, 2025 with additional actions occurring on September 3 and September 4. This includes banning all identified domains, placing a stroma Phish warning page before them, terminating relevant worker scripts, and suspending user accounts. The effort was completed on September 8th.
Tracked by Windows Maker under the name Storm-2246, the Raccoono365 is sold to other cybercriminals under the subscription model, with little or no technical expertise and allows for large scale attachment of phishing and qualification harvesting attacks. The 30-day plan costs $355, while the 90-day plan costs $999.
The operators also claim that the tool is “built only for serious players and no budget freeloaders” hosted on a bulletproof virtual private server with no hidden background (unlike a bullet-like link, for example), and is “built only for serious players and not for low budget freeloaders.”
According to Morado, the campaign using RACCOONO365 has been active since September 2024. These attacks usually mimic trusted brands like Microsoft, Docusign, SharePoint, Adobe, Maersk, and other with fraudulent emails, making them click on pages that look like the victim’s Microsoft 365 user types and passwords. Phishing emails are often the predecessors of malware and ransomware.
The most annoying aspect from a defender’s perspective is using legitimate tools like CloudFlare Turnstile as Captcha and using CloudFlare worker scripts to implement bots and automation detection to protect your phishing pages.
Earlier this April, the Redmond-based company warned of several phishing campaigns that leverage tax-related themes to deploy malware such as Latrodectus, Ahkbot, Guloader and Bruteratel C4 (BRC4). The phishing page is distributed via RACCOONO365, and one such campaign is attributed to an early access broker called Storm-0249.
The phishing campaign covers more than 2,300 US organizations, including at least 20 US healthcare providers.
“With RACCOONO365’s services, customers can enter up to 9,000 target email addresses per day, and use sophisticated techniques to avoid multi-factor authentication protections to steal user credentials and gain sustained access to the victim’s system,” Microsoft said.
“Recently, the group has begun promoting the RACCOONO365 AI-Mailcheck, a new AI-powered service designed to enhance the spread and refined effectiveness of attacks.”
The mastermind behind Raccoono365 is rated Joshua Ogundipe, a Nigeria-based individual. He, along with his peers, promoted the tool on a strong 850-member telegram channel and received over $100,000 in cryptocurrency payments. The E-Crime group is believed to have sold about 100-200 subscriptions, but Microsoft warns that it is an underrated one.
The tech giant said he was able to attribution courtesy of the operational security lapse, which inadvertently exposed a secret cryptocurrency wallet. Ogundipe and four other co-conspirators are currently on a large scale, but Microsoft noted that Ogundipe’s criminal referrals have been sent to international law enforcement.
CloudFlare said in its own analysis of the PHAAS service that takedowns of hundreds of domains and worker accounts are intended to increase operational costs and send warnings to other malicious actors who may abuse infrastructure for malicious purposes.
Since the upheaval, threat officials announced that they have “destroyed all legacy RACCOONO365 links,” urging customers who paid a month’s subscription to switch to a new plan. The group also said it would compensate those affected by offering a “one week additional subscription” after the upgrade.
“The response represents a strategic shift from a reactive, single-domain takedown to aggressive, massive disruption aimed at dismantling the operational infrastructure of actors on our platform,” Cloudflare said.
