Microsoft’s Digital Crimes Unit (DCU) and Cloudflare have jointly disrupted the RaccoonO365 phishing-as-a-service (PhaaS) operation used to steal Microsoft 365 credentials. In early September 2025, the teams seized 338 phishing sites and Cloudflare Workers accounts tied to the service, breaking a key infrastructure chain that attackers used to evade detection and harvest passwords at scale.
How RaccoonO365 Worked: Kits, QR Codes, and Anti-Bot Evasion
RaccoonO365 packaged turnkey phishing kits that operators could deploy via email campaigns using links or QR codes. The kits imitated Microsoft login flows and added CAPTCHA challenges and anti-bot filters to block automated scanners and sandbox environments. Before serving a phishing page, server-side logic checked for indicators of “researcher/scanner/sandbox,” returning an error or dropping the connection to hide malicious content from security crawlers.
Scope and Business Impact: Thousands of Accounts Across 94 Countries
According to Microsoft, actors tracked as Storm-2246 used the platform from July 2024 onward to steal at least 5,000 credentials across 94 countries. A tax-season lure in April 2025 targeted more than 2,300 U.S. organizations, while similar kits were deployed against 20+ healthcare providers. Stolen passwords, session cookies, and content from OneDrive, SharePoint, and mailboxes were leveraged for financial fraud, extortion, lateral movement, and supply chain intrusions, including privilege escalation inside corporate tenants.
Monetization Model: PhaaS Sold via Telegram with Crypto Payments
The service was marketed on a private Telegram channel with 840+ members as of August 25, 2025. Subscriptions cost $355/month or $999 for three months, payable in USDT or BTC. Microsoft estimates the operators earned at least $100,000 in cryptocurrency—roughly consistent with 100–200 subscriptions—highlighting how the SaaS-like economics of PhaaS lower the barrier to running professional phishing operations.
Cloudflare Workers Abuse and the Joint Takedown
Operators abused Cloudflare Workers to proxy traffic, perform bot checks, and mask the true hosting origins of phishing pages. This layered approach made it harder for defenders to fingerprint infrastructure and block campaigns at the network edge. Coordinated action by Microsoft DCU and Cloudflare removed hundreds of these resources, dismantling the evasion and traffic-gating mechanisms that shielded the phishing content.
Attribution and OPSEC Mistake
Microsoft attributes leadership of the project to Joshua Ogundipe of Nigeria, linking him to core code development. A critical operational security error—an inadvertent exposure of a cryptocurrency wallet—enabled investigators to correlate artifacts, understand the platform’s workflow, and refer evidence to international law enforcement.
How to Protect Microsoft 365 Tenants from PhaaS Campaigns
Harden identity and sessions
Enable phishing-resistant MFA (FIDO2/WebAuthn security keys) to prevent theft of one-time codes. Disable legacy authentication protocols, enforce Conditional Access with Continuous Access Evaluation (CAE), and restrict OAuth app consent to admins. Regularly revoke suspicious sessions and tokens and monitor for “impossible travel” and anomalous sign-ins.
Strengthen email and link defenses
Implement DMARC, DKIM, and SPF with a reject policy, and use advanced URL and attachment filtering that can detect QR code phishing. Block auto-forwarding to external domains, flag consent prompts for high-risk apps, and alert on unauthorized MFA resets and mailbox rule changes.
Educate users and prepare to respond
Run targeted awareness campaigns around tax-season and healthcare-themed lures. Provide quick-report mechanisms for suspicious messages. Maintain incident playbooks for account takeover, including rapid credential resets, token invalidation, and containment of lateral movement across SharePoint and OneDrive.
The RaccoonO365 takedown underscores the value of industry collaboration against phishing-as-a-service. Yet PhaaS remains economically attractive and easily replicable. Organizations that adopt phishing-resistant authentication, minimize privileges, constrain third-party app access, and continuously monitor user behavior will reduce the likelihood of compromise and accelerate containment when incidents occur.
