Microsoft disrupts fast-growing phishing service

Source: Microsoft  blog post. The RaccoonO365 login page.

Microsoft’s Digital Crimes Unit (DCU) has disrupted access to RaccoonO365, the fastest-growing tool used by cybercriminals to steal Microsoft 365 credentials. Using a court order granted in the US, the DCU has seized 338 websites associated with the service, Microsoft disclosed in a blog post.

"This case shows that cybercriminals don’t need to be sophisticated to cause widespread harm—simple tools like RaccoonO365 make cybercrime accessible to virtually anyone, putting millions of users at risk," said Steven Masada, Assistant General Counsel of the DCU in the post.

RaccoonO365 offers subscription-based phishing kits that let subscribers steal usernames and passwords through mimicking official Microsoft communications. The kits can create fraudulent emails, attachments, and websites that appear legitimate, duping victims into sharing information. 

RaccoonO365 supports the sharing of 9,000 target email addresses per day and can circumvent multifactor authentication protections, Masada shared. An AI-powered service, RaccoonO365 AI-MailCheck, was introduced recently. Since July 2024, Masada said RaccoonO365’s kits have been used to steal at least 5,000 Microsoft credentials from 94 countries. Approximately 70 victims were from Singapore. 

"While not all stolen information results in compromised networks or fraud due to the variety of security features employed to remediate threats, these numbers underscore the scale of the threat and how social engineering remains a go-to tactic for cybercriminals," Masada observed, calling the accessibility of services like RaccoonO365 a sign that cybercrime could multiply exponentially. 

In response, Microsoft is integrating Blockchain analysis tools like Chainalysis Reactor into its investigations, Masada said. "These help us trace criminals’ cryptocurrency transactions, linking online activity to real identities for stronger evidence," he explained.

"In legal cases, we also collaborate with security companies like Cloudflare to swiftly seize and take down malicious infrastructure. In doing so, we cut off the actor’s revenue streams, sow distrust among their would-be customers, and send a clear signal that Microsoft and its partners will remain persistent in going after those who target our systems." 

Masada noted that cybercriminals can exploit loopholes in international laws and called for more global cooperation. "Governments must work together to align their cybercrime laws, speed up cross-border prosecutions, and close the loopholes that let criminals operate with impunity. The international community should also support nations that are working to strengthen their defences, while holding accountable those that turn a blind eye to cybercrime," he said.