Microsoft Disrupts RaccoonO365, Seizes 338 Phishing Websites

Microsoft’s Digital Crimes Unit (DCU)  has disrupted RaccoonO365, the fastest-growing tool used by cybercriminals to steal Microsoft 365 usernames and passwords (“credentials”). Using a court order granted by the Southern District of New York, the DCU seized 338 websites associated with the popular service, disrupting the operation’s technical infrastructure and cutting off criminals’ access to victims. This case shows that cybercriminals don’t need to be sophisticated to cause widespread harm—simple tools like RaccoonO365 make cybercrime accessible to virtually anyone, putting millions of users at risk.

RaccoonO365, tracked by Microsoft as Storm-2246, offers subscription-based phishing kits. These let anyone—even those with little technical skill—steal Microsoft credentials by mimicking official Microsoft communications. To deceive users, RaccoonO365’s kits use Microsoft branding to make fraudulent emails, attachments, and websites appear legitimate, enticing recipients to open, click, and enter their information.

Since July 2024, RaccoonO365’s kits have been used to steal at least 5,000 Microsoft credentials from 94 countries. While not all stolen information results in compromised networks or fraud due to the variety of security features employed to remediate threats, these numbers underscore the scale of the threat and how social engineering remains a go –to tactic for cybercriminals. More broadly, the rapid development, marketing, and accessibility of services like RaccoonO365 indicate that we are entering a troubling new phase of cybercrime where scams and threats are likely to multiply exponentially.

While RaccoonO365 services are used to target all industries, as evidenced by an extensive tax-themed phishing campaign targeting over 2,300 organizations in the United States, most alarmingly, its kits have been used against at least 20 U.S. healthcare organizations. This puts public safety at risk, as RaccoonO365 phishing emails are often a precursor to malware and ransomware, which have severe consequences for hospitals. In these attacks, patient services are delayed, critical care is postponed or canceled, lab results are compromised, and sensitive data is breached, causing major financial losses and directly impacting patients. These severe consequences are a key reason why the DCU is filing this lawsuit in partnership with Health-ISAC—a global non-profit focused on cybersecurity and threat intelligence for the health sector.

RaccoonO365’s rapid evolution and unmasking its leader

In just over a year, RaccoonO365 has swiftly evolved, rolling out regular upgrades to meet rising demand. This rapid growth underscores why taking legal action now is crucial to stopping RaccoonO365’s activities. Using RaccoonO365’s services, customers can input up to 9,000 target email addresses per day and employ sophisticated techniques to circumvent multi-factor authentication protections to steal user credentials and gain persistent access to victims’ systems. Most recently, the group started advertising a new AI-powered service, RaccoonO365 AI-MailCheck, designed to scale operations and increase the sophistication—and effectiveness—of attacks.