RaccoonO365 Phishing Network Dismantled as Microsoft, Cloudflare Take Down 338 Domains

Microsoft’s Digital Crimes Unit said it teamed up with Cloudflare to coordinate the seizure of 338 domains used by RaccoonO365, a financially motivated threat group behind a phishing-as-a-service (Phaas) toolkit. This toolkit was responsible for stealing more than 5,000 Microsoft 365 credentials from 94 countries since July 2024.

Tracked by Microsoft under the name Storm-2246, RaccoonO365 is marketed to cybercriminals through a subscription model that allows for large-scale phishing and credential harvesting attacks with minimal technical expertise. Prices for their plans are notably low, with a 30-day plan costing $55 and a 90-day plan at $99.

A particular concern is their use of legitimate tools such as Cloudflare Turnstile for CAPTCHA and their implementation of bot and automation detection via Cloudflare Workers scripts to shield their phishing pages, ensuring that only intended victims can interact with them.

According to Microsoft, “Using RaccoonO365’s services, customers can input up to 9,000 target email addresses per day and circumvent multi-factor authentication protections, stealing user credentials for persistent access to victims’ systems.” The group has recently started offering a new AI-powered service called RaccoonO365 AI-MailCheck, designed to enhance its operational scale and attack effectiveness.

To read the complete article see: The Hacker News.