{“lastseen”:”2025-09-18T14:23:39″,”description”:”Microsoft and Cloudflare have disrupted a Phishing-as-a-Service operation, known as RaccoonO365.\\n\\nThe primary goal of RaccoonO365 (or Storm-2246 as Microsoft calls it) was to rent out a phishing toolkit that specialized in stealing Microsoft 365 credentials. They were successful in at least 5,000 cases, spanning 94 countries since July 2024.\\n\\nThe operation provided the cybercriminals’ customers with stolen credentials, cookies, and data which they in turn could use to plunder OneDrive, SharePoint, and Outlook accounts for information to use in financial fraud, extortion, or to serve as initial access for larger attacks.\\n\\nRoughly an attack would look like this:\\n\\n * Emails were sent to victims with an attachment containing a link or QR code.\\n * The malicious link led to a page with a simple CAPTCHA. This and other anti-bot techniques were implemented to evade analysis without raising suspicion from the victim.\\n * After solving the CAPTCHA, the victim was redirected to a fake Microsoft O365 login page designed to harvest the entered credentials.\\n\\n\\n\\nRaccoonO365 built its operation on top of legitimate infrastructure in an attempt to avoid detection. Leveraging free accounts, they strategically deployed Cloudflare workers to act as an intermediary layer, shielding their backend phishing servers from direct public exposure.\\n\\nReacting to this abuse of its services, Cloudflare teamed up with Microsoft\u2019s Digital Crimes Unit (DCU). Using a court order granted by the Southern District of New York, the DCU seized 338 websites associated with RaccoonO365.\\n\\nThe danger of phishing kits like these is clear. Even non-technical criminals can lease a 30-day plan for $355 (to be paid in cryptocurrency) and get their hands on valid Microsoft O365 credentials. With the latest new feature of the phishing kit, users of the kit can even receive codes for certain multi-factor authentication (MFA) methods.\\n\\nFrom there they can move forward to data theft, financial fraud, or even use the credentials to infiltrate an organization to deploy ransomware. And to give you an idea, RaccoonO365 customers were able to send emails to 9,000 targets per day. The suspected leaders of the operation had over 850 members on Telegram and have received at least US$100,000 in cryptocurrency payments.\\n\\nThe takedown of the websites and the attribution to a Nigerian suspect cut off the cybercriminals’ revenue streams, and significantly increased RaccoonO365\u2019s operational costs. Besides that, the main suspect is believed to be the main coder behind the project and his apprehension by international law enforcement is likely to be a major blow to the operation.\\n\\nNow, RaccoonO365 phishing kit customers can start worrying about how much of their information could be revealed in the aftermath of this disruption.\\n\\nWe\u2019ll keep you posted.\\n\\n## Don\u2019t fall for phishing attempts\\n\\nIn the operations run by RaccoonO365 two simple rules could have saved you from lots of trouble.\\n\\n * Don\u2019t click on links in unsolicited attachments\\n * Check if the website address in the browser matches the domain you expect to be on (eg. Microsoft.com).\\n\\n\\n\\nOther important tips to stay safe from phishing in general:\\n\\n * Verify the sender: Always check if the sender\u2019s email address matches what you would expect it to be. It\u2019s not always conclusive but it can help you spot some attempts.\\n * Check through an independent channel if the sender actually sent you an attachment or a link.\\n * Use up-to-date security software, preferably with a web protection component.\\n * Keep your device and all its software updated.\\n * Use multi-factor authentication for every account you can.\\n * Use a password manager. Password managers will not auto-fill a password to a fake site, even if it looks like the real deal to you.\\n\\n\\n\\n* * *\\n\\n**We don ‘t just report on threats – we help safeguard your entire digital identity**\\n\\nCybersecurity risks should never spread beyond a headline. Protect your\u2014and your family’s\u2014personal information by using identity protection.”,”published”:”2025-09-18T13:25:04″,”modified”:”2025-09-18T13:25:04″,”type”:”malwarebytes”,”title”:”Disrupted phishing service was after Microsoft 365 credentials”,”source”:””,”references”:””,”id”:”MALWAREBYTES:6B1C232566AD7A19CB847786748DCE03″,”bulletinFamily”:”blog”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.malwarebytes.com\/blog\/news\/2025\/09\/disrupted-phishing-service-was-after-microsoft-365-credentials”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-09-18T14:23:39″,”description”:”Microsoft and Cloudflare have disrupted a Phishing-as-a-Service operation, known as RaccoonO365.\\n\\nThe primary goal of RaccoonO365 (or Storm-2246 as Microsoft calls it) was to rent out…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,115,13,33,7,11,5],"class_list":["post-17982","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-malwarebytes","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n