News
Microsoft Disrupts RaccoonO365 Phishing Platform in Major Domain Takedown
Microsoft reports that it has seized 338 domains tied to RaccoonO365, a phishing-as-a-service operation it described as one of the fastest-growing criminal platforms targeting its users.
The move was carried out by the company’s Digital Crimes Unit under the authority of a court order in the Southern District of New York. The domains were used to impersonate Microsoft login pages and collect user credentials, according to legal filings. Microsoft officials said the takedown was meant to interrupt a service that lowered the barrier for attackers with little technical skill.
“RaccoonO365, tracked by Microsoft as Storm-2246, offers subscription-based phishing kits,” wrote Steven Masada, assistant general counsel for the company’s Digital Crimes Unit. “These let anyone -- even those with little technical skill -- steal Microsoft credentials by mimicking official Microsoft communications.”
Investigators reported that more than 5,000 credentials were stolen from organizations in at least 94 countries. The kits not only reproduced Microsoft branding but also captured authentication tokens in real time, allowing attackers to bypass some session protections.
The infrastructure extended beyond look-alike domains. Microsoft said the service was promoted in a private Telegram group with more than 850 members, where plans were sold for cryptocurrency. Subscriptions ranged from short-term access to longer packages. At least one developer, identified as being based in Nigeria, allegedly helped run the operation, using false identities to register sites and route payments.
Campaigns tied to the group included widespread attacks on U.S. organizations during tax season, with more than 2,300 companies targeted. Healthcare was another focus: at least 20 organizations in the sector were affected, Microsoft said. The company worked with Cloudflare and other providers to remove the sites and received intelligence support from firms such as Chainalysis. Health-ISAC also assisted in limiting the impact on critical services.
The takedown comes amid a broader rise in turnkey hacker tool offerings that lower the barrier to entry for threat actors. In June, security firm ProofPoint outlined a multi-factor authentication attack aimed at Entra ID that used an open-source penetration tool to steal credentials. These trends underscore the importance of layered defenses—such as robust MFA configurations, phishing-resistant authentication methods and continuous employee training.
Microsoft's latest action reinforces the need for organizations to monitor for domain spoofing, enforce email authentication standards like DMARC and SPF, and engage with external threat intelligence resources. It also shows how the tech sector is stronger when teaming on widespread security.
“Finally, this operation shows what’s possible when different sectors cooperate -- from tech companies to security firms to non-profits,” Masada wrote. “By uniting the strengths of industry, civil society, and governments, we can make a greater impact on the entire cybercriminal ecosystem.”