Picture this: It’s Monday morning. You log on to a full email inbox. One message is from Microsoft, with information about a software update. The logo and layout are professional; the grammar is perfect. But you’ve done your organization’s cybersecurity training, so you check the domain it was sent from: microsoft.com. So far, so good.
You click the link, land on a CAPTCHA page, and select all the squares containing motorcycles to prove you’re human—only to land on yet another CAPTCHA. Certainly a scam wouldn’t have this much security, right? After the second test, you get to a Microsoft login page and type in your username and password.
You’ve just become one of more than 5,000 Microsoft customers across 94 countries whose login credentials were stolen by cybercriminals using the phishing tool RaccoonO365.
That domain? Look closer: it wasn’t microsoft.com but rnicrosoft.com, with the lowercase M replaced by RN—a “homoglyph” that’s tough to detect at a glance. And the CAPTCHAs? They were not only designed to trick you into trusting the sender, but they were also screening out automated phishing detection software.
RaccoonO365 is an underground “phishing-as-a-service” business, part of the burgeoning cybercrime-as-a-service (CaaS) economy in which cybercriminals sell or rent tools and services that enable people to launch sophisticated cyberattacks like ransomware without technical skills or expertise. Thanks to prepackaged services like RaccoonO365, the CaaS ecosystem makes cybercrime cheaper and easier for malicious actors of all kinds, from opportunists looking for quick cash to nation-state actors seeking political influence.
“It’s the fast-food franchise version of cybercrime,” says Sean Farrell, assistant general counsel for the Digital Crimes Unit (DCU), Microsoft’s team dedicated to fighting cybercrime. RaccoonO365 was the fastest-growing tool used by cybercriminals to steal Microsoft 365 usernames and passwords—until the DCU disrupted their operations in September 2025.
RaccoonO365 sold subscription-based phishing kits that included fraudulent email copy, Microsoft-branded web templates to trick users into providing their credentials, and a tool that enabled subscribers to input up to 9,000 email addresses per day, far more than a legitimate email server would allow. RaccoonO365 was sold on the chat platform Telegram, where its group had over 850 members. The service racked up at least $100,000 in cryptocurrency payments, which reflects an estimated 100–200 subscriptions. Over the course of a year, hundreds of millions of phishing emails went out through RaccoonO365’s service.
Why it matters: Phishing and ransomware
In a world of deepfakes and disinformation campaigns, email phishing might seem old-school, even benign. But in the CaaS ecosystem, stolen user credentials are the foundation for every type of cybercrime imaginable.
“The general public may not fully appreciate how operators like RaccoonO365 enable the scaling of other actors who want to deploy ransomware and a slew of follow-on criminal activities,” Farrell says. “Initial access enables you to do the worst things you can do on a victim network.”
Ransomware is one of the most common and detrimental uses of stolen credentials. Phish kits like RaccoonO365 enable ransomware actors to bypass multifactor authentication (MFA) and launch devastating attacks with little or no technological acumen, just a fee paid in cryptocurrency to vendors known in the CaaS world as “access brokers.”
According to the 2025 Microsoft Digital Defense Report (MDDR), cybercriminals deployed 120 ransomware variants against 71 industries in 2025. While ransomware can be used by nation-state actors for espionage purposes, most ransomware actors are after the money—encrypting victims’ data and demanding a fee to decrypt it.
For that reason, ransomware operators often target organizations that have sensitive data and tight cybersecurity budgets, with limited abilities to respond to cyberattacks. One of the most common targets is healthcare: The MDDR notes that there were 376 ransomware attacks on healthcare organizations in 2025. The consequences can be catastrophic, delaying critical care and services for patients, compromising lab results, leaking sensitive data, and costing organizations millions of dollars.
Many of these attacks can be traced back to simple phishing, often relying on social engineering to take advantage of human error. “Phishing is the initial entry vector for a lot of harm that’s done in the healthcare industry,” Farrell says. In the case of RaccoonO365, threat actors used the service to target more than 20 US-based healthcare companies.
Microsoft’s Digital Crimes Unit takes the case
In July 2024, Raccoon O365 hit the radar of Microsoft’s Threat Intelligence. The team saw an alarming rise in Microsoft customers being tricked into giving away their access information, and they were shocked to discover that one group of malicious actors was responsible for thousands of stolen credentials.
That’s when they turned to their partners at DCU. “They came to us and said, ‘Hey, this is a huge problem. Is there anything you can do to help?’” says Jason Lyons, DCU’s senior investigations manager.
DCU has pioneered a unique approach to fighting cyber threats: leveraging existing laws—often laws created for entirely different purposes—in novel ways to combat cybercrime. This includes laws around the US Racketeer Influenced and Corrupt Organizations Act (RICO), which are designed to fight organized crime, as well as laws used for divorce proceedings and the misuse of leased property. DCU’s innovative legal strategy, which the group has been developing since 2008, has proved to be an effective way to stop the most dangerous criminal activity from harming victims. The group has carried out more than 30 operations since 2010 to disrupt cybercriminals, nation-state threat actors, and malware distributors.
“We only take the biggest, baddest cases,” Lyons says. “We have an FBI liaison, a Homeland Security agent, and a Secret Service agent assigned to us. If we need to jump on a big case quickly, we can.”
With RaccoonO365, Lyons knew speed was imperative. “The longer you let these phishing-as-a-service networks operate, the more harm they can do,” he says. And the legal approach was clear from the start: RaccoonO365’s use of Microsoft’s name, logo, and brand was a violation of intellectual property rights. DCU’s lawyers could file a civil suit, asking a court to take down web domains and mail servers that infringed on Microsoft’s copyright. It’s a tactic DCU’s lawyers use frequently, but before they could employ it to take down RaccoonO365, investigators had to find the domains and servers the group was using.
So the team went undercover, posing as customers shopping for phishing kits on Telegram. RaccoonO365 wasn’t hard to find—the group’s sophisticated marketing efforts included branded advertisements, packaged deals, discounts, and a help desk ready to answer questions. Lyons and his team bought a kit for about $400 in bitcoin and began to figure out what, exactly, they were dealing with.
How it worked
Microsoft’s investigators used their kit to phish themselves to understand how the service operated. They determined that RaccoonO365 wasn’t taking advantage of any security vulnerabilities in Microsoft’s tech. It was relying on social engineering, tricking people into thinking that they were interacting with Microsoft products and services.
“Unfortunately, the number one issue in cybersecurity still tends to be the human element,” Farrell says—and he notes that AI is making social engineering much more effective. “Think back to the Nigerian prince emails you used to get years ago,” he says. “You knew they weren’t real. They didn’t make any sense. Today, actors can use AI to fine-tune their messages to make them more effective and convincing.” AI is also useful in generating those “homoglyph domains” that closely resemble legitimate URLs.
By using their kit to phish themselves, Lyons and his team learned exactly what RaccoonO365 did when a victim fell for the trap, including how the cybercriminals logged in to access stolen credentials and what IP addresses they logged in from. “These guys were being super cocky,” Lyons says. They weren’t careful to cover their tracks, which allowed the investigators to home in.
They found that RaccoonO365 was using Cloudflare—a legitimate security service—to mask its real IP addresses. Microsoft’s investigators frequently partner with other private companies, especially security companies. Working with Cloudflare, the team was able to track down the key domain RaccoonO365 was using to host its operations on a server located in Germany. Additionally, they identified hundreds of domains that were used by RaccoonO365’s customers.
Finally, the investigators followed the money. Using blockchain analysis tools, they were able to trace their $400 bitcoin payment through a series of transfers until it landed in a crypto exchange in Nigeria. They conducted several additional test purchases using different cryptocurrencies and were able to trace them to additional exchanges.
The takedown
All the pieces of the puzzle had finally come together: Intellectual property infringement gave DCU investigators legal justification for taking down websites using RaccoonO365, and now, thanks to their partnership with Cloudflare, they had more than 300 websites to target. The DCU’s legal team filed a civil suit along with a co-plaintiff, the Health Information Sharing and Analysis Center (H-ISAC), a nonprofit representing the healthcare providers that were victims of RaccoonO365 attacks. The Southern District of New York granted a court order allowing DCU to seize all 338 domains, effectively cutting off RaccoonO365 from its victims.
Additionally, DCU now knew that whoever was behind the service was holding their crypto payments in Nigeria. Another slip-up by the criminals soon allowed investigators to identify related crypto exchanges and wallets, and eventually led to DCU identifying at least $100,000 in cryptocurrency payments.
It was time to tap into DCU’s broad network of international partnerships. “As a private company, we’re limited to civil actions,” Farrell says. “We can’t arrest people. Even if we seize their assets or take down their infrastructure, they’re still out there. Collaboration with international law enforcement and our partners around the world is essential.”
Working with the US Secret Service and Microsoft’s government affairs teams in Africa, DCU brought the case to Nigerian police. As of publication, local law enforcement has made multiple arrests, including Joshua Ogundipe (who the DCU named as a defendant in its legal filings) and the suspected ringleader behind RaccoonO365, Okitipi Samuel
The collaboration with Nigerian police on these arrests marks an important change for international cybersecurity policy. Today, countries that deliberately ignore cybercriminal activity are known as “safe haven” states, and they’re home to some of the world’s most dangerous and prolific ransomware groups.
“Safe havens are the Achilles’ heel of global cybersecurity,” says Kaja Ciglic, senior director of cybersecurity policy and diplomacy at Microsoft. When ransomware groups are allowed to operate with impunity, they can easily launder profits and reinvest in ever-more sophisticated tools—including AI-driven phishing tools like RaccoonO365. “It is fantastic to see that countries such as Nigeria have taken tremendous strides to hold bad actors accountable and become a trusted global partner in protecting the digital ecosystem,” Ciglic says. “Others should follow their example.”
Farrell, a former cyber legal advisor with the FBI, says working closely with partners around the world in both the public and private sectors to improve global cybersecurity is “essential to Microsoft’s role in the marketplace.” Farrell points out that the RaccoonO365 actors weren’t just targeting Microsoft customers—the group “had downstream impacts on a host of providers and other actors that we’re going after,” he says. “Because our services are used so broadly around the world, we might have legal standing where other companies do not.” Since 2014, DCU has seized more than 9,000 malicious domains and contributed to nearly 800 arrests.
“This is a very impactful job,” Lyons adds. “I’ve gotten to do a lot of different things in my life—including counterintelligence in the Army—but with my role at DCU, I help millions of people behind the scenes. And often, they don’t even know it.”
