RaccoonO365 Phishing Network Dismantled as Microsoft, Cloudflare Take Down 338 Domains

Microsoft’s Digital Crimes Unit said it teamed up with Cloudflare to coordinate the seizure of 338 domains used by RaccoonO365, a financially motivated threat group that was behind a phishing-as-a-service (Phaas) toolkit used to steal more than 5,000 Microsoft 365 credentials from 94 countries since July 2024.

“Using a court order granted by the Southern District of New York, the DCU seized 338 websites associated with the popular service, disrupting the operation’s technical infrastructure and cutting off criminals’ access to victims,” Steven Masada, assistant general counsel at DCU, said.

“This case shows that cybercriminals don’t need to be sophisticated to cause widespread harm – simple tools like RaccoonO365 make cybercrime accessible to virtually anyone, putting millions of users at risk.”

The initial phase of the Cloudflare takedown commenced on September 2, 2025, with additional actions occurring on September 3 and September 4. This included banning all identified domains, placing interstitial “phish warning” pages in front of them, terminating the associated Workers scripts, and suspending the user accounts. The efforts were completed on September 8.

Tracked by the Windows maker under the name Storm-2246, RaccoonO365 is marketed to other cybercriminals under a subscription model, allowing them to mount phishing and credential harvesting attacks at scale with little to no technical expertise. A 30-day plan costs $355, and a 90-day plan is priced at $999.

The operators also claim that the tool is hosted on bulletproof virtual private servers with no hidden backdoors (unlike, say, BulletProofLink), and that it’s “built for serious players only – no low-budget freeloaders.”

According to Morado, campaigns using RaccoonO365 have been active since September 2024. These attacks typically mimic trusted brands like Microsoft, DocuSign, SharePoint, Adobe, and Maersk in fraudulent emails, tricking them into clicking on lookalike pages that are designed to capture victims’ Microsoft 365 usernames and passwords. The phishing emails are often a precursor to malware and ransomware.

The most troubling aspect, from a defender’s standpoint, is the use of legitimate tools like Cloudflare Turnstile as a CAPTCHA, as well as implementing bot and automation detection using a Cloudflare Workers script to protect their phishing pages, thereby making sure that only intended targets of the attack can access and interact with them.

Earlier this April, the Redmond-based company warned of several phishing campaigns leveraging tax-related themes to deploy malware such as Latrodectus, AHKBot, GuLoader, and BruteRatel C4 (BRc4). The phishing pages, it added, were delivered via RaccoonO365, with one such campaign attributed to an initial access broker called Storm-0249.

The phishing campaigns have targeted over 2,300 organizations in the United States, including at least 20 U.S. healthcare entities.

“Using RaccoonO365’s services, customers can input up to 9,000…