Cloudflare, in collaboration with Microsoft, has successfully dismantled RaccoonO365, a Phishing-as-a-Service (PhaaS) criminal enterprise that targeted Microsoft 365 accounts worldwide. The joint operation involved Cloudflare’s Cloudforce One and Trust & Safety teams, alongside Microsoft’s legal action, to take down the infrastructure used by the group.
How RaccoonO365 Attacked Microsoft 365 Users
RaccoonO365 specialized in credential harvesting phishing kits designed to steal sensitive Microsoft 365 login details. These kits used deceptive tactics such as CAPTCHA pages and anti-bot detection methods to appear legitimate. Stolen data often included emails, OneDrive files, SharePoint content, and account cookies, which could be exploited for financial fraud, ransomware attacks, or extortion.
Since July 2024, RaccoonO365 has stolen over 5,000 Microsoft credentials across 94 countries, with phishing emails often containing malicious links or QR codes redirecting victims to fake Microsoft login pages.
Cloudflare and Microsoft’s Coordinated Takedown
In September 2025, Cloudflare executed a large-scale takedown of hundreds of domains and Worker accounts linked to RaccoonO365. Unlike traditional single-domain takedowns, this proactive disruption strategy significantly increased the group’s operational costs and sent a strong deterrent message to cybercriminals. This move complemented Microsoft’s civil lawsuit filed in August, targeting the actors behind the phishing service.
Inside the RaccoonO365 Criminal Operation
Operated as a subscription-based PhaaS model, accessible via a private Telegram channel with over 845 members as of August 2025.
Offered subscription tiers such as a 30-day plan for $355 and a 90-day plan for $999, payable only in cryptocurrencies (USDT, Bitcoin, Polygon).
Marketed as a “bulletproof VPS” service with “zero backdoors” to assure anonymity for cybercriminals.
Tools included MFA bypass and other advanced phishing techniques.
Microsoft identified the group’s leader as Joshua Ogundipe in Nigeria, with evidence suggesting collaboration with Russian-speaking cybercriminals.
This joint action highlights the growing cybersecurity collaboration between major tech companies to combat the rising threat of Phishing-as-a-Service platforms. By dismantling RaccoonO365’s infrastructure, Cloudflare and Microsoft are not only protecting Microsoft 365 users globally but also making the PhaaS business model less sustainable for cybercriminals.
