Microsoft has seized approximately 340 websites linked to a Nigerian-based phishing operation, which has resulted in the theft of at least 5,000 Microsoft user credentials. According to a statement from the company, the operation, known as Raccoon0365, allowed users to carry out large-scale phishing campaigns through a subscription service. The service, which operates via a private Telegram channel with over 850 subscribers, enables users to impersonate trusted brands and trick targets into entering their Microsoft login credentials on fake login pages.
The seizure of the websites was made possible by an order from the US District Court in Manhattan, obtained by Microsoft earlier this month. The company’s Digital Crimes Unit, led by Assistant General Counsel Steven Masada, has been investigating the operation and working to dismantle its infrastructure. Masada noted that the service has generated at least $100,000 in cryptocurrency payments for its operators since its launch in July 2024.
The phishing campaigns carried out through Raccoon0365 have targeted a wide range of industries, with a significant portion of the activity focusing on organizations based in New York City. Microsoft has identified several instances of Raccoon0365-related phishing efforts, including a tax-themed campaign that targeted over 2,300 organizations in the US between February 12 and 28 this year. The company has also collaborated with security partners, such as Cloudflare, to seize and take down malicious infrastructure linked to the operation.
The impact of Raccoon0365 extends to the healthcare sector, with at least five unnamed healthcare organizations reportedly falling victim to successful credential harvesting through phishing campaigns. Errol Weiss, chief security officer of the Health Information Sharing & Analysis Center (Health-ISAC), noted that the operation has targeted a total of 25 health sector organizations.
Microsoft’s efforts to dismantle Raccoon0365’s infrastructure are ongoing, with the company committed to taking additional legal steps to prevent the operation from rebuilding. The seizure of the websites marks a significant blow to the phishing operation, and serves as a reminder of the importance of vigilance in the face of cyber threats. As Masada noted, “cybercriminals don’t need to be sophisticated to cause widespread harm,” and simple tools like Raccoon0365 can put millions of users at risk.
