A major phishing-as-a-service network has been disrupted after Microsoft seized hundreds of domains used to attack healthcare providers and other organizations.
Microsoft has shut down 338 websites linked to RaccoonO365, a rapidly growing phishing-as-a-service (PhaaS) operation that enabled cybercriminals to steal Microsoft 365 credentials. According to Microsoft’s Digital Crimes Unit (DCU), the phishing infrastructure was used to harvest at least 5,000 sets of login details, including credentials belonging to staff at more than 20 US healthcare organizations.
The operation involved subscription-based phishing kits that impersonated official Microsoft communications and directed users to spoofed login pages. Once credentials were entered, they were stolen, often as a first step toward more serious attacks involving malware or ransomware.
RaccoonO365 has operated since at least July 2024. For under $12 a day, subscribers could send up to 9,000 phishing emails daily using prebuilt kits. The operation also offered discounted long-term plans and recently introduced AI-enhanced features to improve email targeting and bypass security measures like multi-factor authentication.
Healthcare providers were a target, with attackers using compromised credentials to disrupt care, steal sensitive data, and launch broader attacks. Other victims included over 2,300 US organizations targeted in a tax-themed phishing campaign.
DCU investigators traced the operation’s leader, Joshua Ogundipe, to Benin City, Nigeria. Ogundipe, a trained programmer, allegedly developed much of the phishing kit’s core code and marketed the service on Telegram. He and his associates reportedly earned over $100,000 through subscriptions. A misstep in operational security exposed a cryptocurrency wallet linked to Ogundipe, allowing investigators to connect him to the operation.
Microsoft and Health-ISAC have filed a civil lawsuit in the U.S. District Court for the Southern District of New York, seeking damages and the formal seizure of the related domains. Allegations include violations of the Computer Fraud and Abuse Act, the RICO Act, and the Electronic Communications Privacy Act.
Microsoft’s Steven Masada, Assistant General Counsel and Director of the DCU, outlined the role of new tools in combating cybercrime. “We are integrating blockchain analysis tools like Chainalysis Reactor into our investigations,” he said, noting that these tools help link crypto transactions to real identities.
PhaaS is a cybercrime model where developers sell or lease ready-made phishing tools and infrastructure to others, allowing even low-skilled actors to run credential theft campaigns.
Some kits use real-time interception techniques or session hijacking to capture MFA codes as users enter them, allowing attackers to bypass protections.
Healthcare systems store high-value data like patient records and insurance information, making them lucrative targets for extortion, data theft, and further attacks.
Investigators used blockchain tracing tools to follow cryptocurrency payments linked to the phishing service, helping to identify individuals behind the operation.
Domain seizures disrupt active phishing campaigns by removing access to spoofed login pages and communications infrastructure. They also serve as evidence in legal proceedings.