Microsoft’s Digital Crimes Unit (DCU) has disrupted , the fastest-growing software utilized by cybercriminals to steal Microsoft 365 usernames and passwords (“credentials”). Utilizing a courtroom order granted by the Southern District of New York, the DCU seized 338 web sites related to the well-liked service, disrupting the operation’s technical infrastructure and chopping off criminals’ entry to victims. This case reveals that cybercriminals don’t have to be refined to trigger widespread hurt—easy instruments like RaccoonO365 make cybercrime accessible to just about anybody, placing hundreds of thousands of customers in danger.
RaccoonO365, tracked by Microsoft as Storm-2246, gives subscription-based phishing kits. These let anybody—even these with little technical talent—steal Microsoft credentials by mimicking official Microsoft communications. To deceive customers, RaccoonO365’s kits use Microsoft branding to make fraudulent emails, attachments, and web sites seem official, engaging recipients to open, click on, and enter their info.
Since July 2024, RaccoonO365’s kits have been used to steal at the least 5,000 Microsoft credentials from 94 international locations. Whereas not all stolen info leads to compromised networks or fraud because of the number of security measures employed to remediate threats, these numbers underscore the size of the menace and the way social engineering stays a go –to tactic for cybercriminals. Extra broadly, the fast improvement, advertising, and accessibility of companies like RaccoonO365 point out that we’re coming into a troubling new section of cybercrime the place scams and threats are more likely to multiply exponentially.
Whereas RaccoonO365 companies are used to focus on all industries, as evidenced by an intensive tax-themed phishing marketing campaign concentrating on over 2,300 organizations in the US, most alarmingly, its kits have been used in opposition to at least 20 U.S. healthcare organizations. This places public security in danger, as , which have extreme penalties for hospitals. In these assaults, affected person companies are delayed, important care is postponed or canceled, lab outcomes are compromised, and delicate knowledge is breached, inflicting main monetary losses and straight impacting sufferers. These extreme penalties are a key purpose why the DCU is submitting this lawsuit in partnership with Well being-ISAC—a worldwide non-profit targeted on cybersecurity and menace intelligence for the well being sector.
RaccoonO365’s rapid evolution and unmasking its chief
In simply over a 12 months, RaccoonO365 has swiftly developed, rolling out common upgrades to fulfill rising demand. This fast development underscores why taking authorized motion now’s essential to stopping RaccoonO365’s actions. Utilizing RaccoonO365’s companies, prospects can enter as much as 9,000 goal e mail addresses per day and make use of refined strategies to avoid multi-factor authentication protections to steal person credentials and acquire persistent entry to victims’ techniques. Most not too long ago, the group began promoting a brand new AI-powered service, RaccoonO365 AI-MailCheck, designed to scale operations and improve the sophistication—and effectiveness—of assaults.
As a part of its investigation, the DCU’ additionally recognized the chief of the prison enterprise: Joshua Ogundipe, a person primarily based in Nigeria. Ogundipe and his associates marketed and offered their companies on Telegram to a rising buyer base. As of this submitting, they’ve over 850 members on Telegram and have obtained at the least US$100,000 in cryptocurrency funds. We estimate that this quantity displays roughly 100-200 subscriptions, which is probably going an underestimate of the overall subscriptions offered. Importantly, the subscriptions aren’t single -use, which means {that a} single RaccoonO365 subscription permits a prison to ship 1000’s of phishing emails a day—including as much as doubtlessly a whole lot of hundreds of thousands of malicious emails a 12 months despatched via this platform.
Ogundipe and his associates every have specialised roles inside the cybercriminal group, and collectively they develop, and promote the service, whereas providing buyer help to assist different cybercriminals steal info from Microsoft customers. To masks their prison enterprise and evade detection, they registered Web domains utilizing fictitious names and bodily addresses which can be purportedly positioned in a number of cities and international locations. Primarily based on Microsoft’s evaluation, Ogundipe has a background in laptop programming and is believed to have authored nearly all of the code. An operational safety lapse by the menace actors through which they inadvertently revealed a secret cryptocurrency pockets helped the DCU’s attribution and understanding of their operations. A prison referral for Ogundipe has been despatched to worldwide legislation enforcement.
Confronting a worldwide cybercrime ecosystem
RaccoonO365 is a case examine in a broader pattern: cybercrime is world, scalable, and accessible to anybody, no matter technical talent. To counter RaccoonO365, we acted swiftly to guard our prospects and forestall additional hurt. However criminals continuously evolve, so Microsoft is evolving too. For example, we’re integrating blockchain evaluation instruments like Chainalysis Reactor into our investigations. These assist us hint criminals’ cryptocurrency transactions, linking on-line exercise to actual identities for stronger proof.
In authorized circumstances, we additionally collaborate with safety corporations like Cloudflare to swiftly seize and take down malicious infrastructure. In doing so, we minimize off the actor’s income streams, sow mistrust amongst their would-be prospects, and ship a transparent sign that Microsoft and its companions will stay persistent in going after those that goal our techniques. Importantly, submitting a lawsuit is simply the beginning. We at all times count on actors to attempt to rebuild their operations. Meaning the DCU will proceed to take extra authorized steps within the case to dismantle any new or reemerging infrastructure.
Even so, authorized challenges persist—particularly in locations the place prosecuting cybercriminals is troublesome. In the present day’s patchwork of worldwide legal guidelines stays a significant impediment and cybercriminals exploit these gaps. Governments should work collectively to align their cybercrime legal guidelines, pace up cross-border prosecutions, and shut the loopholes that allow criminals function with impunity. The worldwide neighborhood also needs to help nations which can be working to strengthen their defenses, whereas holding accountable people who flip a blind eye to cybercrime. Whereas we press ahead within the courts, organizations and people also needs to proceed to bolster their defenses. Meaning enabling sturdy multi-factor authentication on accounts, utilizing up-to-date anti-phishing and safety instruments, and educating customers to remain vigilant in opposition to evolving scams.
Lastly, this operation reveals what’s doable when completely different sectors cooperate—from tech corporations to safety companies to non-profits—every bringing distinctive experience to disrupt prison networks. By uniting the strengths of trade, civil society, and governments, we will make a larger impression on your complete cybercriminal ecosystem. Microsoft stays dedicated to working with others—throughout borders and sectors—to fight this ever-evolving menace and assist construct a safer digital world.
