In a major blow to cybercriminals, Microsoft’s Digital Crimes Unit (DCU) recently teamed up with Cloudflare to seize 338 domains used by the financially motivated threat group RaccoonO365. This group operated a phishing-as-a-service (Phaas) toolkit that stole more than 5,000 Microsoft 365 credentials from 94 countries since July 2024. The DCU, armed with a court order from the Southern District of New York, effectively shut down the operation’s technical infrastructure, cutting off criminals from their victims. According to Steven Masada, assistant general counsel at the DCU, this case proves that even simple tools can cause widespread harm, making cybercrime accessible to virtually anyone and putting millions of users at risk.
The takedown began on September 2, 2025, with additional actions over the following days and was completed on September 8. During this time, all identified domains were banned, a “phish warning” page was placed in front of them, associated scripts were terminated, and user accounts were suspended. The service, which Microsoft tracks as Storm-2246, was marketed to other cybercriminals under a subscription model. This allowed them to launch large-scale phishing and credential-harvesting attacks without needing technical expertise. A 30-day plan cost $355, while a 90-day plan was priced at $999.
The operators of RaccoonO365 claimed their tool was hosted on “bulletproof virtual private servers with no hidden backdoors,” unlike other services. They also claimed the service was “built for serious players only — no low-budget freeloaders.” The phishing campaigns using RaccoonO365 have been active since September 2024. These attacks typically mimicked well-known brands like Microsoft, DocuSign, SharePoint, Adobe, and Maersk in fraudulent emails. The goal was to trick people into clicking on fake websites designed to capture their Microsoft 365 usernames and passwords. These phishing emails often served as an initial step toward more serious attacks involving malware and ransomware.
From a cybersecurity perspective, one of the most concerning aspects of RaccoonO365 was its use of legitimate services to protect its malicious pages. The service used Cloudflare Turnstile for CAPTCHA functionality and a Cloudflare Workers script for bot and automation detection. This ensured that only the intended victims of the attacks could access and interact with the phishing pages, making the campaigns harder for security researchers to study and disrupt.
This collaborative takedown is a significant success in the fight against cybercrime. By disrupting the infrastructure of a widely used Phaas toolkit, Microsoft and Cloudflare have prevented countless future attacks and protected thousands of users from having their personal information stolen. The operation highlights the ongoing threat posed by such services, which lower the barrier to entry for cybercriminals and make sophisticated attacks more accessible to those with little technical skill.
Reference:
