Cloudflare, in partnership with Microsoft, announced the successful disruption of phishing attacks by the phishing-as-a-service (PhaaS) group known as RaccoonO365.

The RaccoonO365 group reportedly abused Cloudflare services and other infrastructure providers to hide its phishing kits. The campaign targeted Microsoft 365 users through phishing kits designed to steal login credentials.

The phishing kits used simple CAPTCHA pages and anti-bot techniques to evade detection and appear legitimate to victims. The stolen data included Microsoft 365 credentials, cookies, and files from OneDrive, SharePoint, and email. These were later used for financial fraud, extortion, or as entry points for larger cyberattacks.

Cloudflare revealed that in early September 2025, it executed a coordinated takedown of hundreds of domains and Worker accounts linked to RaccoonO365. The action dismantled the group’s infrastructure and aimed to raise their operational costs significantly.

The move was part of a wider campaign coordinated with Microsoft, which had filed a civil lawsuit against the group in August 2025. Cloudflare’s approach marked a shift from reactive, single-domain takedowns to large-scale proactive disruption.

RaccoonO365 operated as a subscription-based service that allowed cybercriminals to run phishing campaigns. Microsoft reported that since July 2024, the group’s kits stole at least 5,000 Microsoft 365 credentials across 94 countries.

The group sold access to its “RaccoonO365 Suite” through a private Telegram channel with 845 members. Subscriptions included:

• 30-day plans for $355
• 90-day plans for $999

Payments were accepted in cryptocurrency, including USDT (TRC20, BEP20, Polygon) and Bitcoin.

Cloudflare’s Trust & Safety team mapped the actor’s entire infrastructure using signup patterns before the takedown. The company banned all identified domains, placed phishing warning pages, terminated Worker scripts, and suspended related accounts.

Cloudflare stated that this coordinated action, supported by Microsoft and U.S. law enforcement, is intended to permanently disrupt the group’s phishing attacks and prevent re-registration.

Related post

View all