Microsoft Takes Down 340 Phishing Websites Linked to Raccoon0365
Microsoft has shut down nearly 340 websites connected to a fast-growing phishing subscription service, Raccoon0365. The service, based in Nigeria, enabled users to carry out widespread cyberattacks targeting Microsoft user credentials, according to the company.
The US District Court in Manhattan granted Microsoft a court order to seize the domains. The move comes after Microsoft’s Digital Crimes Unit identified the operation, which used fake login pages to trick users into revealing sensitive account details.
How Raccoon0365 Targeted Victims
The phishing service was hosted on a private Telegram channel with over 850 subscribers. It allowed users to impersonate reputable brands and send out large volumes of phishing emails. In February alone, over 2,300 organisations—primarily in the US—were targeted with tax-themed email attacks.
Steven Masada, assistant general counsel for Microsoft’s Digital Crimes Unit, explained in a company blog post that the service enabled “virtually anyone” to carry out damaging cybercrimes. He added that the group had stolen at least 5,000 Microsoft credentials.
Court filings identified Joshua Ogundipe, based in Nigeria, as the main operator. Microsoft stated that since July 2024, the service generated at least $100,000 in cryptocurrency payments. Ogundipe has not responded to email requests for comment.
Industries and Organisations Impacted
Raccoon0365’s impact spanned multiple sectors. According to Errol Weiss, chief security officer at Health-ISAC, at least five healthcare organisations were successfully compromised. In total, 25 health sector organisations were targeted.
Weiss emphasised the risks: “So many attacks begin with someone unknowingly giving their credentials to a criminal. Once inside the network, the damage can escalate quickly.”
Microsoft’s investigation also found that many of the phishing campaigns specifically targeted organisations in New York City.
Collaboration with Cloudflare and the Secret Service
The phishing infrastructure was partly hidden using services from Cloudflare. The company worked alongside Microsoft and the US Secret Service to dismantle Raccoon0365’s backend systems and block the creation of new accounts.
Blake Darché, Cloudflare’s head of threat intelligence, noted that although the group made operational security mistakes, it remained highly effective in its attacks.
Microsoft said the takedown occurred over several days and is part of ongoing efforts to combat online threats.
with inputs from Reuters
