DUBAI, UAE, 17th September, 2025: In partnership with Microsoft, Cloudflare’s Cloudforce One and Trust and Safety teams successfully disrupted the Phishing-as-a-Service (PhaaS) criminal enterprise known as RaccoonO365.
The RaccoonO365 group abused Cloudflare services and other infrastructure providers to try to prevent detection of their phishing kits. The campaign’s primary attack vector was phishing kits designed to steal Microsoft 365 credentials. The kits used a simple CAPTCHA page and anti-bot techniques to evade analysis and appear legitimate to victims. The actor’s ultimate goal was to provide subscribers with stolen credentials, cookies, and data from victim accounts (including OneDrive, SharePoint, and email), which could then enable financial fraud, extortion, or serve as initial access for larger attacks.
In early September 2025, in a strategic effort to prevent this phishing abuse on our services, Cloudflare executed a coordinated takedown of hundreds of domains and Worker accounts associated with the actor, effectively dismantling their infrastructure on our network. This action was taken in coordination with Microsoft’s broader efforts through a civil lawsuit filed in late August. Cloudflare’s response represents a strategic shift from reactive, single-domain takedowns to a proactive, large-scale disruption aimed at dismantling the actor’s operational infrastructure on our platform. By taking coordinated action in early September 2025, the company aims to significantly increase RaccoonO365’s operational costs and send a clear message to other malicious actors: the free tier is too expensive for criminal enterprises.
What is RaccoonO365?
RaccoonO365 is a financially motivated criminal enterprise operating a PhaaS model designed to broadly target Microsoft 365 users, enabling subscribers to launch their own credential harvesting campaigns. According to Microsoft, since July 2024, RaccoonO365’s kits have been used to steal at least 5,000 Microsoft credentials from 94 countries. The email messages sent to victims typically have an attachment with a link or QR Code. The malicious link leads to a page with a simple CAPTCHA. Once the CAPTCHA is solved, the user is redirected to a fake Microsoft O365 login page designed to harvest credentials. If successful, this activity is often a precursor to malware or ransomware infection.
The group sells subscriptions to its “RaccoonO365 Suite” via a private Telegram channel, which as of August 25th, 2025 had 845 members. The platform operates on a tiered pricing model with offerings structured to appeal to a range of criminals, from short-term testers to those running continuous campaigns. Plans are sold in various durations, such as a 30-day plan for $355 and a 90-day plan for $999. The service exclusively accepts cryptocurrencies, including USDT (TRC20, BEP20, Polygon) and Bitcoin (BTC).
RaccoonO365 markets their service with claims of being a fully managed operation hosted on a “bulletproof VPS” with “zero backdoors” and “zero tracking” to assure their criminal clientele
of the service’s security and anonymity. They exemplify the PhaaS model by offering a comprehensive suite of tools and services that lower the barrier to entry for cybercriminals aiming to execute sophisticated phishing campaigns, including the ability to bypass multi-factor authentication (MFA).
Microsoft identified the group’s leader as Joshua Ogundipe, who is based in Nigeria, while evidence like the use of Russian in a Telegram bot’s name suggests the group also collaborated with Russian-speaking cybercriminals.
Coordinating the RacoonO365 Disruption
Cloudflare’s strategy evolved from a reactive posture to a proactive and coordinated disruption.
- Initial state: Cloudflare’s Trust & Safety team addressed individual abuse complaints, mitigating RaccoonO365 domains as they were identified. Over time, it became clear that a broader, coordinated operation was necessary to further disrupt the actor’s overall effectiveness.
- Collaboration: Microsoft launched the legal disruption, seizing hundreds of RaccoonO365 domains, while Cloudflare took action to halt all RaccoonO365 operations on our platform. Together with U.S. law enforcement, we helped alter the threat actor’s operational trajectory.
- Infrastructure identification: Using signup patterns, we were able to comprehensively map the actor’s entire infrastructure on our platform, including domains and dozens of Worker accounts.
- Coordinated takedown: In early September 2025, Cloudflare executed a “rugpull” on RaccoonO365. In coordination with Microsoft, the initial phase of the Cloudflare takedown began on September 2nd, 2025, with additional actions occurring on September 3, 2025 and September 4th, 2025. We then banned all identified domains, placed interstitial “phish warning” pages in front of them, terminated the associated Workers scripts, and suspended the user accounts to prevent re-registration.
This coordinated action, alongside legal efforts by Microsoft and U.S. law enforcement, is intended to permanently dismantle the group’s ability to operate on Cloudflare’s platform and beyond.
For robust details and timelines read more at the Cloudflare blog and Microsoft blog.
-Ends-
Image attached
About Cloudflare
Cloudflare, Inc. (www.cloudflare.com / @cloudflare) is on a mission to help build a better Internet. Cloudflare’s suite of products protect and accelerate any Internet application online without adding hardware, installing software, or changing a line of code. Internet properties powered by Cloudflare have all web traffic routed through its intelligent global network, which gets smarter with every request. As a result, they see significant improvement in performance and a decrease in spam and other attacks. Cloudflare was named to Entrepreneur Magazine’s Top Company Cultures 2018 list and ranked among the World’s Most Innovative Companies by Fast Company in 2019. Headquartered in San Francisco, CA, Cloudflare has offices in Austin, TX, Champaign, IL, New York, NY, San Jose, CA, Seattle, WA, Washington, D.C., Toronto, Lisbon, London, Munich, Paris, Beijing, Singapore, Sydney, and Tokyo.
