<p>Microsoft’s Digital Crimes Unit and Cloudflare have taken down a phishing platform called RaccoonO365, which was helping criminals steal Microsoft 365 logins worldwide.</p>
<p><img class="alignnone size-full wp-image-4335" src="https://www.wincert.net/wp-content/uploads/2021/09/hacker-6512174_640.jpg" alt="" width="640" height="400" /></p>
<p>The service, tracked as Storm-2246, sold subscription-based kits that appeared to be genuine Microsoft emails and login pages. These kits were easy to use and popular on Telegram, where hundreds of criminals subscribed. Microsoft says the group, led by Joshua Ogundipe in Nigeria, began operating in July 2024 and stole around 5,000 usernames and passwords across 94 countries.</p>
<p>To stop them, Microsoft obtained a U.S. court order and seized 338 websites linked to the operation. Cloudflare also stepped in, disabling malicious accounts and blocking access to fake login pages. The phishing kits were cheap compared to the damage they caused: criminals paid $355 for 30 days or $999 for 90 days, using only cryptocurrency. Despite the low price, the operation generated at least $100,000, although the actual total is likely higher.</p>
<p>Victims were tricked with fake CAPTCHA checks and anti-bot measures before being redirected to phony Microsoft login pages. Once users entered their details, attackers could even bypass multi-factor authentication by stealing session cookies.</p>
<p>Microsoft warned that cybercriminals no longer require advanced skills as services like RaccoonO365 make it easy for anyone to launch large-scale phishing attacks. Cloudflare added that this joint action marks a shift from small, reactive takedowns to large-scale disruptions, making it harder and more costly for such services to keep running.</p>
<p>The case highlights a growing industry of “phishing-as-a-service,” where criminals can simply subscribe and launch attacks. Microsoft and Cloudflare say they will continue targeting similar platforms to protect users globally.</p>