Investigators from Microsoft’s Digital Crimes Unit (DCU) have disrupted the network behind the dangerous RaccoonO365 infostealer malware that targeted the usernames and credentials of Office 365 users after being granted a court order in the Southern District of New York.
The operation saw a total of 338 websites linked to the popular malware seized and its technical infrastructure disrupted, severing RaccoonO365 users’ access to their victims.
RaccoonO365 – which was tracked in Microsoft’s threat actor matrix as Storm-2246 – was a relatively unsophisticated, subscription-based phishing kit that exploited Microsoft’s own branding to make its fake email, attachments and websites seem realistic enough to trick victims into interacting with them.
Microsoft’s Stephen Masada, DCU assistant general counsel, said the case showed that effective cyber criminals did not need to be particularly sophisticated to have an impact: “Since July 2024, RaccoonO365’s kits have been used to steal at least 5,000 Microsoft credentials from 94 countries.
“While not all stolen information results in compromised networks or fraud due to the variety of security features employed to remediate threats, these numbers underscore the scale of the threat and how social engineering remains a go-to tactic for cyber criminals.
“More broadly, the rapid development, marketing and accessibility of services such as RaccoonO365 indicate that we are entering a troubling new phase of cyber crime where scams and threats are likely to multiply exponentially.”
The DCU operation appears to have come at the right time as in the past 12 months, Microsoft said RaccoonO365 had undergone a rapid technical evolution with regular upgrades to meet rising demand.
Among other things, users were able to input 9,000 target email addresses every day, and could also “benefit” from on-board features that enabled them to circumvent multi-factor authentication (MFA) safeguards and establish persistent access on their victims’ computers.
In the past few months, RaccoonO365’s operators also started advertising an AI service that supposedly enabled users to scale their operations and improve the effectiveness of their attacks.
Leadership identified
At the same time, the DCU has named a Nigerian national, Joshua Ogundipe, as the leader of the enterprise behind RaccoonO365. He was identified following an operational security lapse in which the gang accidentally revealed a secret cryptocurrency wallet, which the DCU said greatly helped with attribution.
It accused Ogundipe and associates of selling their services via Telegram to their customers, estimated to be around 100 to 200 subscriptions based on the group’s membership of 845 (as of 25 August) – although this is likely an underestimate.
According to Cloudflare, which worked with the DCU throughout the takedown, access to the RaccoonO365 phishing kit was sold on a subscription basis, with 30-day plans available for $355 and 90-day plans for $999, payable in various forms of cryptocurrency.
Alongside his associates, Ogundipe, who supposedly has a background in computer programming and is thought to have written the bulk of RaccoonO365, ran a seemingly professional organisation with specialist development, sales and customer support resources.
To obfuscate their activities, the gang registered multiple internet domains with fake names and addresses around the world, although screengrabs of Ogundipe’s LinkedIn profile shared by the DCU suggest he may be located in Benin City in southern Nigeria.
A criminal referral for his arrest has been circulated to international law enforcement. However, whether or not he ever faces justice is unknown, said Masada.
“Legal challenges persist, especially in places where prosecuting cyber criminals is difficult. Today’s patchwork of international laws remains a major obstacle and cyber criminals exploit these gaps,” said Masada.
“Governments must work together to align their cyber crime laws, speed up cross-border prosecutions and close the loopholes that let criminals operate with impunity. The international community should also support nations that are working to strengthen their defences, while holding accountable those that turn a blind eye to cyber crime.
“While we press forward in the courts, organisations and individuals should also continue to bolster their defences. That means enabling strong multi-factor authentication on accounts, using up-to-date anti-phishing and security tools, and educating users to stay vigilant against evolving scams.”
