RaccoonO365 phishing service disrupted

On September 16, 2025, Microsoft's Digital Crimes Unit (DCU) announced the dismantling of much of the infrastructure of RaccoonO365, one of the phishing tools most commonly used by cybercriminals to steal Microsoft 365 credentials. Through a court order issued by the Southern District of New York, the DCU seized 338 websites associated with this service, dismantling the technical infrastructure of the operation and cutting off criminals' access to victims.

RaccoonO365 offers subscription-based phishing kits. These allow anyone with little technical knowledge to steal Microsoft credentials by imitating official Microsoft communications. To deceive users, RaccoonO365 kits use the Microsoft brand to make fraudulent emails, attachments, and websites appear legitimate, prompting recipients to open them, click on them, and enter their information.

However, DCU indicates that RaccoonO365's services are also used to attack other sectors, citing as examples the tax phishing campaign targeting more than 2,300 organizations in the United States and the use of phishing kits against at least 20 U.S. healthcare organizations, which subsequently included malware and ransomware campaigns.