Microsoft’s Digital Crimes Unit (DCU) teamed with Cloudflare to coordinate the seizure of 338 domains used by the RaccoonO365 phishing-as-a-service network, a move that disrupted the operation’s infrastructure and cut off criminals’ access to victims, according to a Microsoft recap citing DCU assistant general counsel Steven Masada. Masada said the court-ordered takedown was a tangible demonstration that cybercriminals don’t need advanced capabilities to cause wide harm.
The takedown began in earnest on September 2, 2025, with follow-on actions on September 3 and 4, and a completing phase on September 8. The operation involved banning all identified domains, placing interstitial “phish warning” pages in front of them, terminating the associated Cloudflare Workers scripts, and suspending the attacker accounts, according to the Cloudflare update on the disruption.
RaccoonO365 marketed its service as a pay-for-use phishing toolkit, a model researchers describe as PhaaS (phishing-as-a-service). Pricing cited in industry analysis puts a 30-day plan at $355 and a 90-day plan at $999, with campaigns designed to scale by harvesting Microsoft 365 credentials from large targets. A detailed analysis of the platform and pricing is provided by Morado, which tracks the service as active since September 2024 and notes its ability to mimic trusted brands such as Microsoft, DocuSign, SharePoint, Adobe, and Maersk in fraudulent emails.
The operators marketed access to the service through a subscription-based model hosted on bulletproof virtual private servers with claims of no backdoors, and they advertised the tool as suitable for “serious players only.” The same sources describe how campaigns relied on lookalike pages designed to harvest Microsoft 365 usernames and passwords, often preceding malware and ransomware deployments. Industry observers note that the campaigns have reached tens of thousands of targeted emails daily via RaccoonO365’s services, enabling credential theft at scale.
Microsoft has highlighted the techniques used by RaccoonO365, including the use of legitimate services such as Cloudflare Turnstile as a CAPTCHA and a Cloudflare Workers script to shield phishing pages and restrict access to intended targets, complicating defender attention. The broader analysis of the operation is captured in the Cloudflare threat intelligence report linked above, and the activity has been traced and contextualized by researchers and security firms including Morado.
Authorities have further connected the operation to a figure identified as Joshua Ogundipe, a Nigeria-based individual alleged to lead the scheme. Microsoft notes that Ogundipe and several associates operated via an 850-member Telegram channel and have reportedly generated more than $100,000 in cryptocurrency payments, with estimates suggesting 100–200 subscriptions sold. A criminal referral for Ogundipe has been sent to international law enforcement, and investigators continue to pursue additional co-conspirators, according to notices linked in the reporting. Notice of Pleadings provides background on the case against the principal actor and co-conspirators.
The takedown marks a strategic shift from reactive, single-domain takedowns to a proactive disruption of a criminal actor’s operational infrastructure, Cloudflare said in its assessment of the operation. In the wake of the seizure, RaccoonO365 operators indicated they would disable legacy links and offer their customers upgrades and extensions, a development described in the company’s communications after the disruption