Microsoft on Tuesday announced that it had dismantled the infrastructure behind a major phishing-as-a-service operation that had powered attacks on healthcare organizations around the world.
The operation, which Microsoft dubbed “Raccoon0365,” sold subscription-based phishing kits that allowed unsophisticated cybercriminals to steal Microsoft 365 account usernames and passwords, the company said in a blog post. It estimated that hackers used Raccoon0365 phishing kits to steal approximately 5,000 credentials from users in 94 different countries since July 2024.
Microsoft seized 338 of Raccoon0365’s web domains after obtaining permission from a federal judge in the Southern District of New York.
Raccoon0365 sold its phishing kits on a Telegram channel through subscriptions ranging from 30 to 90 days, according to Cloudflare, which worked with Microsoft on the operation to disrupt the service. Cyber criminals used the kits to target more than 2,300 organizations in the U.S. in a wide variety of industries. Many attacks sought to steal credentials and deploy malware during tax filing season, Microsoft said.
Microsoft told the court that it had conducted four separate “test buys” in which employees purchased phishing kits from Raccoon0365 and learned key details about how the operation worked.
The phishing operation has at least 850 members on its Telegram channel and has received more than $100,000 in cryptocurrency payments, Microsoft said. The alleged head of the operation is Joseph Ogundipe, a Nigerian-based man with a computer programming background, according to the company’s court filings.
Source: Cybersecurity Dive