TL;DR
In a groundbreaking joint operation, Microsoft and Cloudflare successfully dismantled RaccoonO365, a rapidly growing phishing-as-a-service (PhaaS) platform. The operation led to the seizure of 338 malicious websites, the disruption of its infrastructure, and the exposure of its leader, Joshua Ogundipe. This takedown marks a significant victory against cybercrime, protecting thousands of Microsoft 365 users globally.
---
Introduction
Phishing attacks remain one of the most pervasive and damaging cyber threats, targeting individuals and organizations alike. In a landmark effort, Microsoft and Cloudflare joined forces to dismantle RaccoonO365, a notorious phishing-as-a-service (PhaaS) platform responsible for stealing Microsoft 365 credentials from thousands of users worldwide. This collaborative operation not only disrupted the platform's infrastructure but also exposed the mastermind behind the scheme, marking a significant milestone in the fight against cybercrime.
---
The Takedown Operation
Microsoft's Role
Microsoft's Digital Crimes Unit (DCU) played a pivotal role in dismantling RaccoonO365. In a court-ordered operation, the DCU seized 338 malicious websites associated with the platform. These websites were specifically designed to steal Microsoft 365 usernames and passwords, posing a severe threat to users' sensitive data.
> "Microsoft’s Digital Crimes Unit (DCU) has disrupted RaccoonO365, the fastest-growing tool used by cybercriminals to steal Microsoft 365 usernames and passwords. Using a court order granted by the Southern District of New York, the DCU seized 338 websites associated with the popular service, disrupting the operation’s technical infrastructure and cutting off criminals’ access to victims." [^1]
Cloudflare's Contribution
Cloudflare complemented Microsoft's efforts by dismantling hundreds of domains and Worker accounts tied to RaccoonO365. This action was part of a strategic takedown executed in early September 2025, aligning with Microsoft's broader legal initiatives.
> "In early September 2025, in a strategic effort to prevent this phishing abuse on our services, Cloudflare executed a coordinated takedown of hundreds of domains and Worker accounts associated with the actor, effectively dismantling their infrastructure on our network. This action was taken in coordination with Microsoft’s broader efforts through a civil lawsuit filed in late August." [^2]
---
What Was RaccoonO365?
A Phishing-as-a-Service Platform
RaccoonO365 operated as a phishing-as-a-service (PhaaS) platform, providing cybercriminals with ready-made phishing tools, hosting, and support for a subscription fee. This model enabled even novice attackers to launch sophisticated phishing campaigns with minimal effort.
- Subscription Cost: $355–$999
- Global Reach: Used in 94 countries
- Stolen Credentials: At least 5,000 Microsoft 365 accounts compromised
Impact of RaccoonO365
The platform was responsible for massive phishing campaigns, including:
- Tax scams targeting 2,300 U.S. organizations
- Attacks on 20 healthcare providers, risking:
- Delayed patient care
- Compromised lab results
- Breached patient data
- Financial losses
RaccoonO365 was advertised on Telegram and had 100–200 subscribers, generating over $100,000 in cryptocurrency.
---
The Mastermind Behind RaccoonO365
Joshua Ogundipe: The Leader
Microsoft's investigation identified Joshua Ogundipe, a Nigerian national, as the leader of the RaccoonO365 operation. Ogundipe was a skilled programmer who:
- Wrote most of the platform's code
- Managed sales and customer support
- Used fake domains to evade detection
However, a leaked cryptocurrency wallet exposed his operations, leading to his identification. Authorities have since referred Ogundipe to law enforcement for further action.
---
Why This Takedown Matters
A Victory Against Cybercrime
The dismantling of RaccoonO365 represents a major victory in the fight against cybercrime. By disrupting this platform, Microsoft and Cloudflare have:
- Protected thousands of users from credential theft
- Reduced the effectiveness of phishing-as-a-service models
- Set a precedent for future collaborative takedowns
Future Implications
This operation highlights the importance of public-private partnerships in combating cyber threats. As phishing attacks continue to evolve, such collaborations will be crucial in identifying, disrupting, and prosecuting cybercriminals.
---
Conclusion
The takedown of RaccoonO365 by Microsoft and Cloudflare is a testament to the power of collaboration in cybersecurity. By dismantling this phishing-as-a-service platform, the operation has safeguarded countless users and sent a strong message to cybercriminals. As threats continue to evolve, such proactive measures will remain essential in protecting digital ecosystems and preserving user trust.
---
Additional Resources
For further insights, check:
- [Microsoft's Official Announcement](https://blogs.microsoft.com/on-the-issues/2025/09/16/microsoft-seizes-338-websites-to-disrupt-rapidly-growing-raccoono365-phishing-service/)
- [Cloudflare's Threat Intelligence Report](https://www.cloudflare.com/it-it/threat-intelligence/research/report/cloudflare-participates-in-global-operation-to-disrupt-raccoono365/)
---
References
[^1]: Microsoft (2025, September 16). ["Microsoft seizes 338 websites to disrupt rapidly growing RaccoonO365 phishing service"](https://blogs.microsoft.com/on-the-issues/2025/09/16/microsoft-seizes-338-websites-to-disrupt-rapidly-growing-raccoono365-phishing-service/). Microsoft. Retrieved 2025-09-17.
[^2]: Cloudflare (2025, September). ["Cloudflare Participates in Global Operation to Disrupt RaccoonO365"](https://www.cloudflare.com/it-it/threat-intelligence/research/report/cloudflare-participates-in-global-operation-to-disrupt-raccoono365/). Cloudflare. Retrieved 2025-09-