Microsoft Inc announced on Tuesday that it has taken control of nearly 340 websites linked to a fast-growing Nigerian-based platform accused of enabling widespread phishing schemes.
The company reported that the operation had compromised at least 5,000 Microsoft account credentials.
Earlier this month, Microsoft secured authorization from the U.S. District Court in Manhattan to seize domains tied to “Raccoon0365,” a subscription-based service designed to facilitate large-scale phishing.
Steven Masada, assistant general counsel with Microsoft’s Digital Crimes Unit, explained that the service allowed clients to launch email blasts in the thousands.
Writing in a company blog, Masada said Raccoon0365 was run through a private Telegram group with over 850 members, giving them tools to mimic trusted brands and trick people into providing their Microsoft login details on counterfeit sign-in pages.
Since its launch in July 2024, the service has generated at least $100,000 in cryptocurrency for its operators, according to Masada. Microsoft confirmed that the website seizures took place over several days this month.
Related story: Sen. Wyden Urges FTC Probe Into Microsoft Over Alleged Cybersecurity Failures
Identified Leader and Global Reach
Court documents name Nigeria-based Joshua Ogundipe as the primary operator behind Raccoon0365. Efforts to reach him for comment via the email address listed in Microsoft’s filings went unanswered.
Highlighting the scale of the threat, Masada stressed: “Cybercriminals don’t need to be sophisticated to cause widespread harm. Simple tools like Raccoon0365 make cybercrime accessible to virtually anyone, putting millions of users at risk.”
According to Microsoft, the service has been used to target a wide range of sectors, with filings indicating that “a significant portion” of its campaigns were directed at New York City-based organizations.
In one instance, Microsoft traced a February phishing push using fraudulent tax-related emails that sought to compromise more than 2,300 organizations, mostly in the U.S.
Errol Weiss, chief security officer of the Health Information Sharing & Analysis Center (Health-ISAC), which joined Microsoft in the case, noted that Raccoon0365 had already been linked to stolen login data from at least five healthcare entities, while aiming at 25 health organizations overall.
“So many of the attacks start because somebody gave up their user name and password to a bad guy,” Weiss said. “Once that cybercriminal has access to the network, then it’s just up to the imagination in terms of what comes next and how they monetize it.”
Cloudflare, whose services had been used to mask Raccoon0365’s infrastructure, confirmed in a blog post that it collaborated with Microsoft and the U.S. Secret Service to disrupt the group’s activities.
Blake Darché, Cloudflare’s head of threat intelligence, acknowledged in an interview that while the operators made “some key operational security mistakes,” they nonetheless proved highly effective.
Read next: Musk’s Starlink Restores Service After Brief Outage
Also Important Headlines: