Microsoft’s Digital Crimes Unit (DCU) and Cloudflare have disrupted a fast-growing phishing service known as ‘RaccoonO365’, shutting down 338 phishing domains.
RacoonO365 is a phishing-as-a-service platform that provides budding hackers with ready-made phishing kits that were used to steal over 5,000 Microsoft credentials in over 94 countries.
These kits are notorious for helping low-skilled actors launch widespread phishing campaigns to thousands of victims. They are sold as being able to avoid spam filters and bypass multi-factor authentication (MFA).
RacoonO365 have even jumped onto the AI bandwagon: the group recently launched an AI-powered service, AI-MailCheck, which apparently makes the phishing campaigns even easier to scale.
Microsoft DCU and Cloudflare’s Trust & Safety group took technical and legal action to seize 338 RaccoonO365 domains and block the group’s operations on the Cloudflare platform.
Using a court order granted by the Southern District of New York, Microsoft “seized 338 websites associated with the popular service, disrupting the operation’s technical infrastructure and cutting off criminals’ access to victims,” Microsoft said in a statement.
Working with Cloudflare, the team then banned all known RaccoonO365 domains, placed phish warning pages in front of them, and suspended user accounts – a complete rugpull.
“By seizing 338 malicious websites, we’re disrupting an increasingly popular and powerful tool that made credential theft accessible to virtually anyone—regardless of technical skill”, Steven Masada, Assistant General Counsel, Microsoft’s Digital Crimes Unit, wrote on Linkedin.
“We continue to work with global law enforcement as part of our commitment to public-private partnerships,” he continued.
Who are Racoon365?
RaccoonO365 were one of the fastest growing phishing-as-a-services, offering pre-made templates for sending out targeted phishing attacks.
The group sold its services on a private Telegram channel, which had over 800 members according to Cloudflare.
Subscriptions were available for as low as $9.82 per day, with standard licenses advertising features like ‘secure and reliable email deliverability’ with the capacity to ‘bypass spam filters.’
“Subscriptions are not single-use, meaning that a single RaccoonO365 subscription allows a criminal to send thousands of phishing emails a day—adding up to potentially hundreds of millions of malicious emails a year sent through this platform,” Microsoft said.
Campaigns mimicked multiple well-known brands, including DocuSign, SharePoint and Adobe. One common lure asked victims to review an HR file, leading them to a phishing page designed to steal credentials and bypass MFA.
RaccoonO365 kits have been used to target all industries, including at least 20 healthcare organizations.
“Using RaccoonO365’s services, customers can input up to 9,000 target email addresses per day and employ sophisticated techniques to circumvent multi-factor authentication protections to steal user credentials and gain persistent access to victims’ systems,” Microsoft said.
In April, Microsoft reported on several phishing campaigns sent to thousands of people using tax-related scare-tactics delivered using RaccoonO365’s platform.
As part of Microsoft’s investigation, the leader of RaccoonO365 was revealed to be Joshua Ogundipe, a resident of Nigeria.
What action was taken?
RaccoonO365 is now on the backfoot after the targeted campaign led by Microsoft and Cloudflare.
Microsoft initiated legal action, and using a court order from the Southern District of New York, seized 338 websites, ‘disrupting the operation’s technical infrastructure and cutting off criminals’ access to victims,’ Microsoft said.
Cloudflare then took action to prevent RaccoonO365’s operations on their platform, disabling dozens of domains and Worker accounts.
The action is designed to “permanently dismantle” the group’s ability to operate, Cloudflare said.
Stay protected against phishing
Phishing can be devastating for individuals and crippling for businesses. A successful phishing attack is often the first step in a larger data theft or ransomware strike.
The success of gangs like RaccoonO365 are indicative of the fruits that phishing campaigns can bear to cybercriminals at very low effort and cost.
To protect against gangs like phishing-as-a-service, Cloudflare recommends investing in strong email security, identity and access management, user awareness training, and endpoint protection.
They also advise implementing an incident and response plan, and “working with cloud and SaaS providers to enable continuous monitoring of tenant activity.”
Read more
