By Wayne Williams

Copyright techradar

Skip to main content

Tech Radar Pro

Tech Radar Gaming

Close main menu

the business technology experts

België (Nederlands)

Deutschland

North America

US (English)

Australasia

New Zealand

View Profile

Search TechRadar

Expert Insights

Website builders

Web hosting

Best web hosting
Best office chairs
Best website builder
Best antivirus
Expert Insights

Don’t miss these

Hackers are stealing Microsoft 365 accounts by abusing link-wrapping services

Hackers are looking to steal Microsoft logins using some devious new tricks – here’s how to stay safe

Double check your Microsoft 365 and Google accounts – this VoidProxy phishing service is hitting them hard

Amazon says it stopped Russian hackers targeting Microsoft logins as Cozy Bear strikes again

Hackers are using fake Zoom or Microsoft Teams invites to spy on all your workplace activity

Microsoft flags dangerous cybercriminals ransacking organizations – and then letting you know about it via Teams

Massive leak of over 115 million US payment cards caused by Chinese “smishing” hackers – find out if you’re affected

Hackers are also going back to school – major campaign hijacks Google Classroom to hit targets

US government says BlackSuit and Royal ransomware gangs hit hundreds of major firms before shutdown

Your employee logins are more valuable to criminals than ever – here’s how to keep them protected

Pakistani-based malware empire ‘punished’ software pirates with infostealers, earning millions of dollars in just five years – here’s how to stay safe

UK immigration system targeted by hackers – dangerous new phishing campaign hits Sponsorship Management System

This widely used Remote Monitoring tool is being used to deploy AsyncRAT to steal passwords

UK warns Russian Fancy Bear hackers are targeting Microsoft 365 accounts

Europol says it disrupted a major pro-Russian DDoS crime gang

Microsoft and Cloudflare jointly take down phishing network that stole thousands of Microsoft 365 credentials

Wayne Williams

17 September 2025

RaccoonO365 sold phishing kits that copied Microsoft emails, attachments, and websites

When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.

(Image credit: Shutterstock)

Microsoft and Cloudflare disrupt phishing service stealing Microsoft 365 credentials
RaccoonO365 kits used CAPTCHA screens and fake Microsoft logins
Revenue from the criminal operation estimated to be at least $100,000

Working together, Microsoft’s Digital Crimes Unit and Cloudflare say they have successfully disrupted a phishing service that helped criminals steal thousands of Microsoft 365 usernames and passwords.

Tracked by Microsoft as Storm-2246, RaccoonO365 sold subscription kits that mimicked official Microsoft messages and login pages.
From July 2024, these kits helped criminals steal at least an estimated 5,000 sets of credentials from victims across 94 countries.

You may like

Hackers are stealing Microsoft 365 accounts by abusing link-wrapping services

Hackers are looking to steal Microsoft logins using some devious new tricks – here’s how to stay safe

Double check your Microsoft 365 and Google accounts – this VoidProxy phishing service is hitting them hard

Securing court order
Microsoft identified the group’s leader as Joshua Ogundipe, based in Nigeria, and said the service was marketed on Telegram with hundreds of subscribers.

Microsoft’s Digital Crimes Unit said it seized 338 websites used by the group after securing a court order from the Southern District of New York.
“This case shows that cybercriminals don’t need to be sophisticated to cause widespread harm – simple tools like RaccoonO365 make cybercrime accessible to virtually anyone, putting millions of users at risk,” the company warned.
Cloudflare said its Cloudforce One and Trust and Safety teams worked with Microsoft to dismantle the infrastructure that supported the service.

Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Contact me with news and offers from other Future brandsReceive email from us on behalf of our trusted partners or sponsorsBy submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.
According to Cloudflare, the phishing kits used a simple CAPTCHA screen and anti-bot measures to appear legitimate, before redirecting victims to fake Microsoft login pages.
Once credentials were entered, attackers could also bypass multi-factor authentication and steal session cookies.
The company disabled Worker accounts and placed warning pages in front of malicious domains to cut off access.

You may like

Hackers are stealing Microsoft 365 accounts by abusing link-wrapping services

Hackers are looking to steal Microsoft logins using some devious new tricks – here’s how to stay safe

Double check your Microsoft 365 and Google accounts – this VoidProxy phishing service is hitting them hard

The phishing service operated on a tiered pricing model, with subscriptions to the “RaccoonO365 Suite” priced at $355 for 30 days or $999 for 90 days, with payments only accepted in cryptocurrency.
Microsoft said the operation had already generated at least $100,000 in revenue, although the true number is likely higher.
Both companies described the action as part of a broader effort to disrupt phishing-as-a-service platforms.
“Our response represents a strategic shift from reactive, single-domain takedowns to a proactive, large-scale disruption,” Cloudflare said, adding, “we aim to significantly increase RaccoonO365’s operational costs and send a clear message to other malicious actors: the free tier is too expensive for criminal enterprises.”
You might also like

Phishing emails are getting smarter – and using some new tricks to snare victims
Malicious URLs and phishing scams remain a constant threat for businesses
Hackers are abusing hotel booking notifications to steal credentials

Wayne Williams

Social Links Navigation

Wayne Williams is a freelancer writing news for TechRadar Pro. He has been writing about computers, technology, and the web for 30 years. In that time he wrote for most of the UK’s PC magazines, and launched, edited and published a number of them too.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

Hackers are stealing Microsoft 365 accounts by abusing link-wrapping services

Hackers are looking to steal Microsoft logins using some devious new tricks – here’s how to stay safe

Double check your Microsoft 365 and Google accounts – this VoidProxy phishing service is hitting them hard

Amazon says it stopped Russian hackers targeting Microsoft logins as Cozy Bear strikes again

Hackers are using fake Zoom or Microsoft Teams invites to spy on all your workplace activity

Microsoft flags dangerous cybercriminals ransacking organizations – and then letting you know about it via Teams

Latest in Security

Jaguar Land Rover cyber attack outage continues – systems unlikely to be online for another week

Infamous BreachForums founder will be heading to jail after all

A terrifying, self-replicating malwaere has infected npm packages with over 2 million downloads per week – here’s how to stay safe

A huge Android ad fraud network was distributing malware through 224 apps – until Google fought back

New Phoenix RowHammer attack cracks open DDR5 memory defenses in minutes

Former FinWise employee may have stolen sensitive data on 689,000 American First Finance customers

Latest in News

“Great Firewall in a Box” – How a massive data leak unveiled China’s censorship export model

How to watch The Intruder online for free – stream psychological thriller from anywhere

UK sees major investment from some of the biggest names in tech – here’s all the top deals announced today

Meta Connect 2025 Live: all the big Ray-Ban and Oakley smart glasses news plus how to watch

Ever wondered which AI tools the CEO of Nvidia uses? We have the answer – straight from Jensen Huang himself

AMD reveals a new AM4 CPU, a decade after the platform’s launch – it’s the Skyrim of motherboard chipsets at this point

LATEST ARTICLES

AI in the classroom: the laptop specs to look out for to level up your learning

ID, please – inside the age verification “mess” splintering the US internet

Just got the Spotify Lossless update? Here’s how to make sure you’re getting the audio upgrade on the fly

AMD reveals a new AM4 CPU, a decade after the platform’s launch – it’s the Skyrim of motherboard chipsets at this point

“Great Firewall in a Box” – How a massive data leak unveiled China’s censorship export model

TechRadar is part of Future US Inc, an international media group and leading digital publisher. Visit our corporate site.

Contact Future’s experts

Terms and conditions

Privacy policy

Cookies policy

Advertise with us

Web notifications

Accessibility Statement

Future US, Inc. Full 7th Floor, 130 West 42nd Street,

Please login or signup to comment

Please wait…