Microsoft and Cloudflare have successfully dismantled RaccoonO365, a global phishing-as-a-service (PhaaS) operation that had been running for over a year. This criminal platform, marketed on Telegram and used by up to 200 subscribers, enabled attackers to craft realistic Microsoft 365 phishing campaigns, complete with fake login pages, email lures, and QR code traps. The operation facilitated the theft of more than 5,000 user credentials across 94 countries, with healthcare organizations being disproportionately targeted, raising serious public safety concerns.
What set RaccoonO365 apart was its abuse of Cloudflare Workers to hide phishing sites from researchers and automated scanners, making the attacks harder to detect. The takedown involved a multi-front response: Microsoft filed a lawsuit with Health-ISAC, seized over 330 malicious domains, and identified the alleged mastermind, Nigerian programmer Joshua Ogundipe. Meanwhile, Cloudflare suspended accounts, removed malicious scripts, and blocked domains linked to the operation. Together, these actions not only dismantled the phishing infrastructure but also exposed the growing risks of PhaaS models, which lower the barrier for entry into cybercrime.
This episode unpacks how the takedown unfolded, why healthcare was such a critical target, and what this operation reveals about the evolving cybercrime economy.
#Microsoft #Cloudflare #RaccoonO365 #PhishingAsAService #PhaaS #Cybercrime #HealthcareCybersecurity #CredentialTheft #Microsoft365 #CloudflareWorkers #JoshuaOgundipe
