Microsoft’s Digital Crimes Unit (DCU) has taken down RaccoonO365, a subscription-based phishing service responsible for stealing thousands of Microsoft 365 credentials worldwide. It was operated by Joshua Ogundipe, a Nigerian.
RaccoonO365 was used to steal Microsoft 365 usernames and passwords from users. This was done with the aid of 338 websites used in sending phishing emails to unsuspecting users.
How RaccoonO365 Works
RaccoonO365 offers subscription-based phishing kits sold via Telegram. These kits mimic Microsoft branding to make fake emails, attachments, and login pages look legitimate. As a result, they trick victims into handing over their credentials.
Since July 2024, the kits have been used to steal at least 5,000 Microsoft credentials in 94 countries. This includes attacks against at least 20 U.S. healthcare organisations.
Such phishing campaigns often precede malware or ransomware intrusions that delay patient care, cancel critical procedures, compromise lab results, and expose sensitive health data. The service has also powered a tax-themed phishing campaign targeting 2,300 U.S. organizations.
Nigerian Kingpin
Microsoft identified Joshua Ogundipe, a Nigeria-based programmer, as the leader of the operation. Ogundipe and his associates are said to have marketed RaccoonO365 through Telegram. There, they built a base of over 850 members and collected at least $100,000 in cryptocurrency payments.
Subscriptions were not single-use: a single license enabled criminals to send thousands of phishing emails per day, scaling to hundreds of millions annually. Most recently, the group began promoting an AI-powered service called RaccoonO365 AI-MailCheck, designed to make attacks more sophisticated and difficult to detect.
Ogundipe’s network seemingly divided responsibilities among members. They handled coding, sales, and customer support for cybercriminal clients. To hide their activities, they registered domains under fake names and addresses in multiple countries.
Microsft linked the group to a cryptocurrency wallet accidentally exposed by the actors, a lapse that allowed investigators to attribute the operation. Microsoft said it has referred Ogundipe to international law enforcement for further action.