Want latest news insights in your inbox? Sign up for our weekly newsletters to get only what matters to your organization. Subscribe Now
Microsoft Takes Down “Raccoon0365” Phishing Infrastructure
Microsoft announced on Tuesday that it successfully disrupted a global phishing-as-a-service (PhaaS) campaign that had been behind widespread credential theft targeting healthcare organizations worldwide.
The operation, called Raccoon0365, offered subscription-based phishing kits designed to steal Microsoft 365 credentials. According to Microsoft, the service had been active since July 2024 and was responsible for the theft of over 5,000 user credentials across 94 countries.
How Microsoft Took Action
In collaboration with Cloudflare and U.S. law enforcement, Microsoft seized 338 malicious domains linked to Raccoon0365 after obtaining a court order from the Southern District of New York.
To build their case, Microsoft conducted four separate test buys of the phishing kits, gaining insights into how the operation worked. This intelligence allowed the company to dismantle the infrastructure and share information with global law enforcement agencies.
The Raccoon0365 Business Model
-
Subscription Plans: Phishing kits were sold through a Telegram channel with subscription tiers ranging from 30 to 90 days.
-
Revenue: The group allegedly made over $100,000 in cryptocurrency payments.
-
Scale: More than 850 members subscribed to the channel, and attacks targeted 2,300+ organizations in multiple sectors — including healthcare, finance, and education.
Many attacks were timed around tax filing season, increasing the likelihood of victims falling for credential-stealing lures.
Impact on Healthcare Organizations
Microsoft revealed that the operation compromised at least 20 U.S. hospitals, where stolen credentials were sometimes used to deploy ransomware and other malicious code.
The situation was so severe that Health-ISAC, the information-sharing and analysis center for the healthcare sector, signed onto Microsoft’s lawsuit to help mitigate the threat.
Who is Behind Raccoon0365?
Court filings identified the alleged leader of the group as Joseph Ogundipe, a Nigerian-based computer programmer. Microsoft has referred the case to international law enforcement agencies for further action.
Key Takeaways for Organizations
-
Credential Hygiene Matters: Ensure employees use multi-factor authentication (MFA) to reduce the impact of stolen passwords.
-
Continuous Monitoring: Implement real-time monitoring to detect and respond to suspicious login attempts.
-
Security Awareness Training: Regular phishing simulation exercises can significantly reduce click-through rates.
-
Zero Trust Architecture: Adopt a Ze
Final Thoughts
The takedown of Raccoon0365 is a major win for cybersecurity defenders, but it also highlights the growing professionalization of cybercrime through subscription-based models like phishing-as-a-service (PhaaS).
Organizations must stay vigilant, invest in proactive defense strategies, and collaborate with industry partners to stay ahead of evolving threats.
📬 Want to stay ahead of news like this?
Subscribe to our newsletter for weekly insights, updates, and expert analysis.
