Microsoft’s Digital Crimes Unit (DCU) has disrupted , the fastest-growing software utilized by cybercriminals to steal Microsoft 365 usernames and passwords (“credentials”). Utilizing a court docket order granted by the Southern District of New York, the DCU seized 338 web sites related to the favored service, disrupting the operation’s technical infrastructure and slicing off criminals’ entry to victims. This case reveals that cybercriminals don’t must be subtle to trigger widespread hurt—easy instruments like RaccoonO365 make cybercrime accessible to nearly anybody, placing tens of millions of customers in danger.
RaccoonO365, tracked by Microsoft as Storm-2246, provides subscription-based phishing kits. These let anybody—even these with little technical talent—steal Microsoft credentials by mimicking official Microsoft communications. To deceive customers, RaccoonO365’s kits use Microsoft branding to make fraudulent emails, attachments, and web sites seem authentic, engaging recipients to open, click on, and enter their info.
Since July 2024, RaccoonO365’s kits have been used to steal at the least 5,000 Microsoft credentials from 94 nations. Whereas not all stolen info ends in compromised networks or fraud because of the number of security measures employed to remediate threats, these numbers underscore the dimensions of the risk and the way social engineering stays a go –to tactic for cybercriminals. Extra broadly, the speedy improvement, advertising and marketing, and accessibility of companies like RaccoonO365 point out that we’re coming into a troubling new part of cybercrime the place scams and threats are prone to multiply exponentially.
Whereas RaccoonO365 companies are used to focus on all industries, as evidenced by an in depth tax-themed phishing marketing campaign focusing on over 2,300 organizations in the US, most alarmingly, its kits have been used in opposition to at the least 20 U.S. healthcare organizations. This places public security in danger, as , which have extreme penalties for hospitals. In these assaults, affected person companies are delayed, crucial care is postponed or canceled, lab outcomes are compromised, and delicate information is breached, inflicting main monetary losses and immediately impacting sufferers. These extreme penalties are a key cause why the DCU is submitting this lawsuit in partnership with Well being-ISAC—a world non-profit centered on cybersecurity and risk intelligence for the well being sector.
RaccoonO365’s speedy evolution and unmasking its chief
In simply over a yr, RaccoonO365 has swiftly advanced, rolling out common upgrades to satisfy rising demand. This speedy progress underscores why taking authorized motion now could be essential to stopping RaccoonO365’s actions. Utilizing RaccoonO365’s companies, clients can enter as much as 9,000 goal e-mail addresses per day and make use of subtle methods to avoid multi-factor authentication protections to steal consumer credentials and acquire persistent entry to victims’ programs. Most lately, the group began promoting a brand new AI-powered service, RaccoonO365 AI-MailCheck, designed to scale operations and enhance the sophistication—and effectiveness—of assaults.
RaccoonO365 login web page.
The totally different subscription companies RacoonO365 advertises and gives.
RaccoonO365 promoting of a brand new AI-enabled service.
As a part of its investigation, the DCU’ additionally recognized the chief of the prison enterprise: Joshua Ogundipe, a person primarily based in Nigeria. Ogundipe and his associates marketed and bought their companies on Telegram to a rising buyer base. As of this submitting, they’ve over 850 members on Telegram and have obtained at the least US$100,000 in cryptocurrency funds. We estimate that this quantity displays roughly 100-200 subscriptions, which is probably going an underestimate of the entire subscriptions bought. Importantly, the subscriptions will not be single -use, that means {that a} single RaccoonO365 subscription permits a prison to ship 1000’s of phishing emails a day—including as much as doubtlessly a whole bunch of tens of millions of malicious emails a yr despatched by means of this platform.
Joshua Ogundipe’s LinkedIn web page.
Ogundipe and his associates every have specialised roles inside the cybercriminal group, and collectively they develop, and promote the service, whereas offering buyer assist to assist different cybercriminals steal info from Microsoft customers. To masks their prison enterprise and evade detection, they registered Web domains utilizing fictitious names and bodily addresses which might be purportedly situated in a number of cities and nations. Based mostly on Microsoft’s evaluation, Ogundipe has a background in pc programming and is believed to have authored the vast majority of the code. An operational safety lapse by the risk actors by which they inadvertently revealed a secret cryptocurrency pockets helped the DCU’s attribution and understanding of their operations. A prison referral for Ogundipe has been despatched to worldwide regulation enforcement.
Confronting a world cybercrime ecosystem
RaccoonO365 is a case examine in a broader development: cybercrime is international, scalable, and accessible to anybody, no matter technical talent. To counter RaccoonO365, we acted swiftly to guard our clients and forestall additional hurt. However criminals always evolve, so Microsoft is evolving too. As an illustration, we’re integrating blockchain evaluation instruments like Chainalysis Reactor into our investigations. These assist us hint criminals’ cryptocurrency transactions, linking on-line exercise to actual identities for stronger proof.
In authorized instances, we additionally collaborate with safety corporations like Cloudflare to swiftly seize and take down malicious infrastructure. In doing so, we minimize off the actor’s income streams, sow mistrust amongst their would-be clients, and ship a transparent sign that Microsoft and its companions will stay persistent in going after those that goal our programs. Importantly, submitting a lawsuit is simply the beginning. We at all times count on actors to attempt to rebuild their operations. Which means the DCU will proceed to take extra authorized steps within the case to dismantle any new or reemerging infrastructure.
Even so, authorized challenges persist—particularly in locations the place prosecuting cybercriminals is troublesome. Right now’s patchwork of worldwide legal guidelines stays a significant impediment and cybercriminals exploit these gaps. Governments should work collectively to align their cybercrime legal guidelines, velocity up cross-border prosecutions, and shut the loopholes that allow criminals function with impunity. The worldwide neighborhood also needs to assist nations which might be working to strengthen their defenses, whereas holding accountable people who flip a blind eye to cybercrime. Whereas we press ahead within the courts, organizations and people also needs to proceed to bolster their defenses. Which means enabling sturdy multi-factor authentication on accounts, utilizing up-to-date anti-phishing and safety instruments, and educating customers to remain vigilant in opposition to evolving scams.
Lastly, this operation reveals what’s attainable when totally different sectors cooperate—from tech corporations to safety companies to non-profits—every bringing distinctive experience to disrupt prison networks. By uniting the strengths of trade, civil society, and governments, we are able to make a higher impression on your entire cybercriminal ecosystem. Microsoft stays dedicated to working with others—throughout borders and sectors—to fight this ever-evolving risk and assist construct a safer digital world.
