Microsoft has seized nearly 340 websites linked to a Nigerian-based phishing service called Raccoon0365, which stole at least 5,000 Microsoft user credentials.
The move follows a US district court order obtained by Microsoft in Manhattan to take control of domains tied to the subscription-based service. Raccoon0365 operates through a private Telegram channel with over 850 subscribers, allowing users to impersonate trusted brands and trick victims into entering login details on fake Microsoft pages.
According to Steven Masada, assistant general counsel for Microsoft’s digital crimes unit, the service has generated at least $100,000 in cryptocurrency for its operators since launching in July 2024. Microsoft identified Nigeria-based Joshua Ogundipe as the leader of Raccoon0365, though he did not respond to requests for comment.
The phishing campaigns targeted a wide range of industries, with a significant portion focusing on organisations in New York City. Between February 12 and 28, 2025, Raccoon0365 allegedly used tax-themed phishing emails to target over 2,300 organisations, mostly in the US.
The service also affected the health sector, with successful credential theft reported at five unnamed healthcare organisations and 25 others targeted overall, according to Errol Weiss, chief security officer of the Health Information Sharing & Analysis Center. Weiss warned that once hackers gain access to networks, the consequences can be severe and highly unpredictable.
Raccoon0365 operators relied on services from Cloudflare to obscure their infrastructure, but Cloudflare worked with Microsoft and the US Secret Service to disrupt the operations and prevent new accounts. Blake Darché, head of threat intelligence at Cloudflare, said the operators made operational security mistakes but were nonetheless highly effective.
“Simple tools such as Raccoon0365 make cybercrime accessible to virtually anyone, putting millions of users at risk,” Masada said, emphasizing the threat posed by such services.
