Microsoft’s Digital Crimes Unit (DCU) has disrupted a subscription-based phishing service known as RaccoonO365, accused of stealing thousands of Microsoft 365 credentials across the world.
The tech giant said it identified a Nigeria-based individual as the mastermind behind the operation. Acting on a U.S. court order from the Southern District of New York, Microsoft seized 338 websites connected to the network. These sites were used to host fake Microsoft login pages and funnel stolen user data.
According to Microsoft, RaccoonO365 operated like a business, selling easy-to-use phishing kits on Telegram. The service allowed even low-skilled cybercriminals to impersonate Microsoft communications and harvest usernames and passwords at scale. Since July 2024, the kits have been used to steal at least 5,000 Microsoft credentials across 94 countries.
Investigators found that the phishing kits were structured as subscriptions, enabling criminals to send thousands of phishing emails daily. This model meant a single subscription could fuel hundreds of millions of malicious emails per year.
Microsoft revealed that the individuals behind the scheme played specialized roles, from writing code to selling subscriptions and providing customer support to other criminals. The DCU noted that while the group tried to hide by registering domains under fake names and locations, an operational error gave them away when they exposed a secret cryptocurrency wallet.
The company confirmed it has referred the case to international law enforcement.
Beyond financial fraud, Microsoft warned that RaccoonO365 posed serious risks to public safety. The DCU uncovered tax-themed phishing campaigns that targeted over 2,300 organizations in the U.S., including at least 20 healthcare providers. Working with the Health Information Sharing and Analysis Center (Health-ISAC), Microsoft highlighted that such attacks can disrupt patient care, delay critical services, and expose sensitive medical data.
The company also emphasized how fast RaccoonO365 has evolved. In just over a year, it released regular upgrades to meet demand, with customers able to target up to 9,000 emails per day and even bypass multi-factor authentication protections. Most recently, the group began advertising an AI-powered tool, “RaccoonO365 AI-MailCheck,” designed to make phishing campaigns more effective.
The crackdown comes as Microsoft continues to be the most impersonated brand in phishing campaigns. A recent report by Check Point Research revealed that the company accounted for 25 percent of all global phishing attempts between April and June 2025, a surge linked to networks like RaccoonO365.
