Microsoft DCU’s Takedown of RaccoonO365

 When I saw the name of the Microsoft Digital Crime Unit's latest target, "RaccoonO365" I probably reacted to it differently than most.  With the help of a friend in Lagos, we've been watching the money launderers and things have reached a point that they now refer to what we previously called "Business Email Compromise" or BEC as "O365 Jobs." 

from Microsoft's explainer on RaccoonO365

Microsoft DCU is famous for doing massive takedowns of the infrastructure used by cyber criminals via Civil action in the US courts.  This case is no different, as they filed for an Emergency Temporary Restraining Order in the Southern District of New York in a co-filing with the Health-ISAC.  The venue is justified in their filing in part by showing that New York City was one of the most targeted cities, based on victims that they were able to identify. 

From Microsoft DCU's "Complaint and Summons" against Joshua Ogundipe and John Does 1-4

Microsoft used several methods of determining that Joshua Ogundipe of Nigeria played a key role in this Phishing-as-a-Service enterprise, which began in the summer of 2024 after Microsoft had terminated a similar platform called Fake ONNX. 

A great deal of the infrastructure for RaccoonO365 was hidden behind Cloudflare's Reverse Proxy service and/or using Cloudflare's Domain Registration service, and Microsoft was able to determine that Joshua controlled the associated Cloudflare accounts. 

Microsoft also reveals the LinkedIn account of Joshua Ogundipe, which displays the logo of DIGIhubng and indicates that he lives in Benin City, Edo State, Nigeria. Yet another criminal who works for a company that claims to teach "Ethical Hacking"  ... 

Microsoft demonstrates Josha Ogundipe's LinkedIn Page

Digihubng's Ethical Hacking courses

DigihubNG, formerly "Simple Hacks Workshop" -- "Learn How Hackers Create a fake login page and use it to steal passwords"

Microsoft & Health-ISAC's Interest in RaccoonO365

The Complaint filed by Microsoft and Health-ISAC, says that "at least 25 healthcare companies, including 9 organizations who are members of Health-ISAC have been hit by RaccoonO365 phishing kits."  In some cases the phishing emails were detected and blocked, while in other cases an employee fell victim to the phish, sharing their credentials to the criminal, however the organizations responded swiftly with password resets for those individuals. 

Microsoft and Health-ISAC charge that the following violations were performed by the RaccoonO365 co-conspirators, harming both organizations and their customers and members.

Count I: Violation of the Computer Fraud and Abuse Act, 18 USC § 1030. 
Count II: Racketeer Influenced and Corrupt Organizations Act, 18 USC § 1962. 
Count III: Conspiracy to Violate RICO, 18 USC § 1962(d). 
Count IV: Violation of Electronic Communications Privacy Act, 18 USC § 2701. 
Count V: (Microsoft only): False Designation of Origin under the Lanham Act, 15 USC § 1125(a). 
Count VI: (Microsoft only): Trademark Infringement Under the Lanham Act, 15 USC § 1114 et seq. 
Count VII: (Microsoft only): Trademark Dilution under the Lanham Act, 15 USC § 1125(c). 
Count VIII: Common Law Trespass to Chattels. 
Count IX: Conversion.
Count X: Unjust Enrichment. 

RaccoonO365 Crypto Addresses

When Microsoft made a test purchase by interacting with the "RaccoonO365" admin on Telegram, they were provided a Bitcoin address, bc1qmlsuqm4p6lme8e2qna3mkj07k8j7vttp0l7ydv, to make their payment.  That address is hosted at the Nigerian cryptocurrency exchange Bitnob.com, and had received deposits 132 times between October 16, 2024 and July 1, 2025, totaling just under $34,000. 

Cloudflare's "Cloudforce One" team also published a list of Indicators of Compromise for RaccoonO365.  They share a different Bitcoin address, bc1qjtlzug5wu7ag8yskn5h2xjd27uetq5cc4sahh5, which went live on July 3, 2025 and received payments through September 13, 2025.  An ERC20 address, also received $2800 between May 7, 2025 and August 29, 2025 (0xf5C2E3749F332175D94C7de7bf7AA8d679E460B7).  The USDT address, TBB5T28b9n2SK8shXb9oq867EcsNE5dZie, also went live the first week of July and received $7,448 through September 12, 2025. Those funds flow to a ChipperCash account, which has more than 5 million downloads in the Google Play Store. The animation on their home page shows people in the United States sending funds to people in Nigeria. 

Cloudflare's IOC list also provided a list of "EDF" - Email Detection Fingerprints - that mention several campaigns including a Maersk phishing campaign, a Zoom-branded phishing campaign, and campaigns imitating DocuSign, Sharepoint, and Adobe. 

The CloudForce One RaccoonO365 report is certainly worth reading in its entirety. They include a  pricing list from the Telegram channel showing the subscription plan rates from 30 days ($355) to 90 days ($999). 

The Taxman Spammeth 

The same advisory warned that between February 12th and 28th, Microsoft observed at least 2,300 organizations targeted by another RaccoonO365 IRS-themed campaign.  This one had a PDF document that contained a QR-code.  Scanning the QR code forwarded the recipient to "SharedDocumentsO365CloudAuthStorage[.]com" which presented a fake Microsoft login page in an attempt to steal user credentials and cookies. 

From the Microsoft Tax Phishing report

RaccoonO365 Domain Registration Insights

Both Microsoft and Cloudflare provide longs lists of domains used by the RaccoonO365 phishers, many of which share gmail or yahoo email accounts for the registrants. Some of the R-O365 customer clearly have targets within a certain demographic when we look for other domains registered with the same email address.  A few examples: 

"Nawty Boss" is the name used by edmblais@gmail.com.  Some of the domains created by Mr. Boss indicate that he is a long-time Microsoft phisher, who targets law firms and "conveyancing" companies. He registered a clear Microsoft-targeting phishing domain owa-outlookaccess-login[.]us - all the way back on August 8, 2022, but during the time period of R-O365, some of his domains include: 

prioritylegals[.]com
bytheruleslegal[.]com 
bandhlawyers[.]com 
oconnorharis[.]com 
proctorgraham[.]com 
shamonlawyers[.]com 
aslegals[.]com 
boylandlawyers[.]com 
1836conveyancing[.]com 
crystalconveyancing[.]com
nestconveyancing[.]com 
raywardconveyancing[.]com 
keysconveyancing[.]com and many more - at least 27 domains! 

Cheryl Sharp is the name used by oodybugs53@gmail.com to register several construction-themed companies, such as: 

turnerconstructLons[.]com (the real Turner Construction builds things like NFL stadiums and hospitals)
turnerconsstruction[.]com 
turrnerconstructions[.]com 
clarkconstructLion[.]com (the real Clark Construction builds things like Naval Bases and high rises)
clarkconstructionproject[.]com
truxobuild[.]com and several others. 

Many more just stick to Microsoft imitation. For example, Dave White, the name used by thceneda@gmail.com, registered domains such as: 

officedocdrivecloudfile[.]com
officedocdrivecloud[.]com 
officeclouddriveshared365[.]com and others.  

Michael Previte, using the email mchlprevite@gmail.com registered domains such as: 

MSGReceivedAlert[.]com 
Documents-flip[.]com 
Microsoft-Voicemail-EDriveOnline[.]com and others. 

Other gmail accounts of registrants included: drstacywalter, drstacywalterofficial, elaindnck, sjone0884, bruceandrews21, officebox3585, tarakent60, oodybugs53, rmcy987, redirecting.com@gmail.com, jcllay07, rarejnr, keedew12, kimmit205, marketingchairman50, megatechblock247, nwfamsp000, michaelwesleysullivan, rmcy987, jennix18, woodlandmech, keedew12, mbookpro115, owolabimoney31, moorejulian659, theonlyzeus1999, blaketurner826, genedurgin2, goldenheart3890, ky0dx2024, donald.bill100, crasengan073, nwfamsp000.  (And a few non-gmail: loaann1@outlook.com, bclarknorwood@outlook.com, tfloy03@yahoo.com. ) The majority of the domains listed were hiding behind Cloudflare's registration services, which lists "Registrant emails" in the form: hxxps://domaincontact.cloudflareregistrar[.]com/scammerdomain[.]tld (a couple hundred times.)

RaccoonO365 Telegram Channel Insights

The R-O365 Telegram channel made frequent boasts about the ways they were improving their services.

In April they started a Beta of their "RaccoonO365 Mailer" where there service not only helped you with cookie and credential capture, but sent your spam for you as well. 

The price for the new service was either $500 per year. $1000 per year, or $1500 per year, depending on the options selected. 

In August they announced that they were now "a bulletproof cPanel provider." 

In early September they redid their subscription services, (charging a LOT more money!) 

Their last big improvement was announced September 15th.  Just in time for all of their major infrastructure to be kicked off Cloudflare and/or seized by Microsoft's court order!

Raccoon365 Still Kicking 

After Microsoft's court action, the Telegram channel went dark (the last post we saw was September 17, 2025.)  For the sake of completeness, I messaged the admin, whose account is still live, and asked him if there were plans for a new channel. 

It looks like his current focus is selling access to the accounts that he's already compromised.  The pricing plan for phishing has changed considerably as well.  Rather than buying unlimited spamming for a flat monthly rate, now he is charging by the number of "leads" that he sends your phish to, but with guaranteed success rates.  He'll send 50,000 messages, guaranteeing successful log harvesting on 300 accounts, for $1,000.  For $1,500 you get 100,000 messages with 700 guaranteed logs, and for $2,000 you get 200,000 messages sent with 1500 guaranteed logs. 

Current plan as of 22SEP2025

Joshua Kayode Ogundipe?

Microsoft noted that this seemed to be a continuation of the phishing kits created by Abanoud Nady, known online as MRxC0DER who used the brand name "ONNX" to sell his Phishing-as-a-Service. 

An Interesting Associate: TopBoy7x and Phishing Intelligence 

Curiously, one of the users who was authorized to post in the RaccoonO365 Telegram channel was @Topboy7x. TopBoy has paid for an exclusive Telegram-provided "+888" telephone number (+888 0926 4717) and has an Arabic-language Bio on Telegram. 

Top Boy runs the 15,966 subscriber Telegram channel "MiddleMen" and has paid to have several desirable usernames as aliases to his account, including: @safedealagent, @awsfather, @finalizer, @commandment, and @paywithusdt.  By rotating through these accounts in his channels, he may be fooling some users into believing there are multiple vendors vouching for one another.  Nope, its all the same guy. He offers Escrow Services, Corporate Intelligence Services, and Spamming services in many criminal channels, including RaccoonO365.  Why does he have the alias @awsfather?  Because one of his specialty services is selling hacked AWS accounts. 

The messages below are from TopBoy's Telegram channel hxxps://t.me/verticals, where he has been selling hacked accounts since at least July 2024. 

https://t.me/verticals/706 TopBoy's screenshots make it clear that he sells AWS accounts to use as spamming engines.  In this screenshot, the AWS account has "451,323 Remaining Sends" on its daily email limit.

TopBoy also sells corporate intelligence services, such as selling hacked accounts from Grata.  This screenshot from TopBoy demonstrates how this can be used to research companies in the "Energy" industry, for example, however he also sells hacked account at Pitchbook and Apollo for your intelligence needs. 

Pitchbook offers sales people (or criminal spammers in this case) contact details and job titles for 4.5 million business people.

Other spamming services he sells include Neverbounce Pro, where again, he is selling access to someone else's hacked account: 

The post Microsoft DCU’s Takedown of RaccoonO365 appeared first on Security Boulevard.