Microsoft’s Digital Crimes Unit (DCU) has disrupted , the fastest-growing instrument utilized by cybercriminals to steal Microsoft 365 usernames and passwords (“credentials”). Utilizing a court docket order granted by the Southern District of New York, the DCU seized 338 web sites related to the standard service, disrupting the operation’s technical infrastructure and chopping off criminals’ entry to victims. This case reveals that cybercriminals don’t have to be refined to trigger widespread hurt—easy instruments like RaccoonO365 make cybercrime accessible to nearly anybody, placing hundreds of thousands of customers in danger.
RaccoonO365, tracked by Microsoft as Storm-2246, presents subscription-based phishing kits. These let anybody—even these with little technical talent—steal Microsoft credentials by mimicking official Microsoft communications. To deceive customers, RaccoonO365’s kits use Microsoft branding to make fraudulent emails, attachments, and web sites seem reliable, attractive recipients to open, click on, and enter their info.
Since July 2024, RaccoonO365’s kits have been used to steal a minimum of 5,000 Microsoft credentials from 94 nations. Whereas not all stolen info leads to compromised networks or fraud as a result of number of security measures employed to remediate threats, these numbers underscore the size of the menace and the way social engineering stays a go –to tactic for cybercriminals. Extra broadly, the speedy growth, advertising and marketing, and accessibility of providers like RaccoonO365 point out that we’re coming into a troubling new section of cybercrime the place scams and threats are prone to multiply exponentially.
Whereas RaccoonO365 providers are used to focus on all industries, as evidenced by an intensive tax-themed phishing marketing campaign focusing on over 2,300 organizations in the USA, most alarmingly, its kits have been used in opposition to at least 20 U.S. healthcare organizations. This places public security in danger, as , which have extreme penalties for hospitals. In these assaults, affected person providers are delayed, important care is postponed or canceled, lab outcomes are compromised, and delicate information is breached, inflicting main monetary losses and straight impacting sufferers. These extreme penalties are a key purpose why the DCU is submitting this lawsuit in partnership with Well being-ISAC—a worldwide non-profit targeted on cybersecurity and menace intelligence for the well being sector.
RaccoonO365’s rapid evolution and unmasking its chief
In simply over a yr, RaccoonO365 has swiftly advanced, rolling out common upgrades to fulfill rising demand. This speedy progress underscores why taking authorized motion now’s essential to stopping RaccoonO365’s actions. Utilizing RaccoonO365’s providers, prospects can enter as much as 9,000 goal e mail addresses per day and make use of refined strategies to avoid multi-factor authentication protections to steal person credentials and achieve persistent entry to victims’ techniques. Most not too long ago, the group began promoting a brand new AI-powered service, RaccoonO365 AI-MailCheck, designed to scale operations and enhance the sophistication—and effectiveness—of assaults.
As a part of its investigation, the DCU’ additionally recognized the chief of the legal enterprise: Joshua Ogundipe, a person primarily based in Nigeria. Ogundipe and his associates marketed and offered their providers on Telegram to a rising buyer base. As of this submitting, they’ve over 850 members on Telegram and have obtained a minimum of US$100,000 in cryptocurrency funds. We estimate that this quantity displays roughly 100-200 subscriptions, which is probably going an underestimate of the full subscriptions offered. Importantly, the subscriptions are usually not single -use, which means {that a} single RaccoonO365 subscription permits a legal to ship hundreds of phishing emails a day—including as much as doubtlessly a whole lot of hundreds of thousands of malicious emails a yr despatched by this platform.
Ogundipe and his associates every have specialised roles inside the cybercriminal group, and collectively they develop, and promote the service, whereas providing buyer assist to assist different cybercriminals steal info from Microsoft customers. To masks their legal enterprise and evade detection, they registered Web domains utilizing fictitious names and bodily addresses which might be purportedly positioned in a number of cities and nations. Primarily based on Microsoft’s evaluation, Ogundipe has a background in pc programming and is believed to have authored the vast majority of the code. An operational safety lapse by the menace actors wherein they inadvertently revealed a secret cryptocurrency pockets helped the DCU’s attribution and understanding of their operations. A legal referral for Ogundipe has been despatched to worldwide regulation enforcement.
Confronting a worldwide cybercrime ecosystem
RaccoonO365 is a case research in a broader pattern: cybercrime is international, scalable, and accessible to anybody, no matter technical talent. To counter RaccoonO365, we acted swiftly to guard our prospects and stop additional hurt. However criminals always evolve, so Microsoft is evolving too. For example, we’re integrating blockchain evaluation instruments like Chainalysis Reactor into our investigations. These assist us hint criminals’ cryptocurrency transactions, linking on-line exercise to actual identities for stronger proof.
In authorized instances, we additionally collaborate with safety firms like Cloudflare to swiftly seize and take down malicious infrastructure. In doing so, we minimize off the actor’s income streams, sow mistrust amongst their would-be prospects, and ship a transparent sign that Microsoft and its companions will stay persistent in going after those that goal our techniques. Importantly, submitting a lawsuit is simply the beginning. We at all times anticipate actors to attempt to rebuild their operations. Meaning the DCU will proceed to take further authorized steps within the case to dismantle any new or reemerging infrastructure.
Even so, authorized challenges persist—particularly in locations the place prosecuting cybercriminals is tough. At the moment’s patchwork of worldwide legal guidelines stays a significant impediment and cybercriminals exploit these gaps. Governments should work collectively to align their cybercrime legal guidelines, velocity up cross-border prosecutions, and shut the loopholes that allow criminals function with impunity. The worldwide neighborhood also needs to assist nations which might be working to strengthen their defenses, whereas holding accountable those who flip a blind eye to cybercrime. Whereas we press ahead within the courts, organizations and people also needs to proceed to bolster their defenses. Meaning enabling robust multi-factor authentication on accounts, utilizing up-to-date anti-phishing and safety instruments, and educating customers to remain vigilant in opposition to evolving scams.
Lastly, this operation reveals what’s doable when totally different sectors cooperate—from tech firms to safety companies to non-profits—every bringing distinctive experience to disrupt legal networks. By uniting the strengths of trade, civil society, and governments, we will make a larger affect on your entire cybercriminal ecosystem. Microsoft stays dedicated to working with others—throughout borders and sectors—to fight this ever-evolving menace and assist construct a safer digital world.
