Phishing sites seized by Microsoft in major crackdown

Microsoft has intensified its efforts to combat cybercrime by targeting Raccoon0365, a subscription-based phishing service that enabled wide-scale credential theft. Working through the U.S. District Court in Manhattan, the company successfully obtained approval to seize nearly 340 internet domains associated with fraudulent login pages.

The campaign represents one of Microsoft’s largest actions against organized phishing operations in recent years. By dismantling the domains, investigators sought to interrupt the infrastructure behind ongoing attacks that were impacting businesses, healthcare providers, and individuals across the United States.

Court action and leadership allegations

Legal filings identified Nigerian national Joshua Ogundipe as the organizer of Raccoon0365. Court documents suggested Ogundipe and his collaborators had managed operations since mid-2024, offering phishing kits and email templates to paying members.

The domains seized were central to the group’s activity, often disguised to resemble Microsoft Outlook and Office 365 login pages. Victims who entered their credentials unknowingly handed over access to attackers, allowing unauthorized entry into email accounts and corporate networks.

Efforts to reach Ogundipe through listed contact details received no reply. Law enforcement continues to investigate further financial and operational links.

Subscription-based model lowers entry barriers

Raccoon0365 distinguished itself by using a subscription system. For recurring fees, subscribers gained access to pre-built phishing infrastructure, including login templates, automated distribution tools, and hosting services.

According to Microsoft, more than 850 individuals subscribed to the service through a private Telegram channel. The arrangement significantly lowered the barriers to conducting cybercrime, allowing less technically skilled participants to run phishing campaigns at scale.

Since its launch in July 2024, the service generated at least $100,000 in cryptocurrency revenue. Payments were often processed through anonymous wallets, making financial tracking difficult.

Industries and organizations targeted

Court records revealed that Raccoon0365 campaigns heavily targeted organizations based in New York City, with significant evidence of credential theft across business and government sectors.

Microsoft documented a series of tax-themed phishing attacks linked to the group. These campaigns impersonated U.S. tax authorities and targeted more than 2,300 organizations nationwide over a two-week span.

Healthcare providers were also frequently victimized. Errol Weiss, chief security officer at the Health Information Sharing & Analysis Center (Health-ISAC), confirmed that at least five healthcare organizations suffered breaches tied to the group, with about 25 targeted overall. These attacks risked exposure of sensitive medical and personal data.
 

Consequences of credential theft

Credential theft remains a leading entry point for larger cyberattacks. Once attackers obtain usernames and passwords, they can bypass security controls, gain access to confidential information, or escalate to ransomware incidents.

Weiss noted that “so many of the attacks start because somebody gave up their username and password to a bad guy.” This observation highlights the importance of user awareness, multifactor authentication, and stronger identity security practices.

The stolen data can also be resold on underground markets, generating secondary revenue streams for criminal groups and further exposing victims to fraud.

Role of service providers and enforcement agencies

Cloudflare, a web infrastructure provider, was used by the group to obscure the location of phishing servers. The company confirmed that it worked with Microsoft and the U.S. Secret Service to disable accounts associated with the operation.

Blake Darché, head of threat intelligence at Cloudflare, acknowledged that while Raccoon0365 made operational mistakes, the service was still highly effective in deceiving users. Collaborative action helped limit further damage by blocking new registrations and dismantling existing infrastructure.

Microsoft emphasized that law enforcement played a central role in the coordinated disruption, demonstrating how private companies and government agencies can work together to reduce cybercrime threats.

Implications for cybersecurity

The takedown of Raccoon0365 illustrates broader challenges in cybersecurity enforcement. While subscription models make phishing more accessible, they also create clear targets for intervention when platforms or operators can be identified.

However, the cycle often repeats as new groups form and replicate the model. Cybersecurity experts caution that while operations like this can slow the pace of attacks, continued vigilance is necessary. Education, stronger authentication methods, and coordinated monitoring remain essential in limiting the impact of phishing.

Microsoft indicated that while the disruption removed hundreds of active domains, future services are likely to appear. The company continues to monitor for emerging threats and engage with industry partners to coordinate defensive strategies.

Phishing sites seized by Microsoft in major crackdown

The dismantling of Raccoon0365 underscores both the risks posed by subscription-driven cybercrime and the importance of coordinated countermeasures. By securing court approval to seize nearly 340 domains, Microsoft disrupted a service that made large-scale phishing accessible to hundreds of subscribers.

The operation highlighted the role of credential theft as a gateway to wider attacks, demonstrated the vulnerabilities facing industries such as healthcare and finance, and showed the importance of collaboration between private companies, service providers, and law enforcement agencies. While phishing groups are expected to continue evolving, this case illustrates how decisive legal and technical action can disrupt criminal ecosystems and protect users from widespread credential exploitation