Court-ordered seizure of RaccoonO365 domains
Law Enforcement
Summary
Hide ▲
Show ▼
Microsoft and Cloudflare carried out a court-ordered seizure of 338 websites tied to RaccoonO365, a phishing-as-a-service operation tracked as Storm-2246. The disruption targeted infrastructure used to steal Microsoft 365 credentials and block attacker-controlled domains supporting credential theft. Microsoft said the campaign had been active since July 2024 and had stolen at least 5,000 Microsoft credentials from 94 countries.
Related Happenings
Code of conduct-themed Microsoft AiTM phishing campaign
Campaign
First: 05.05.2026 09:35
Last: 05.05.2026 09:35
Sources 1
About this happening:
A **large-scale phishing campaign** used code of conduct-themed lures and **legitimate email services** to push victims to attacker-controlled domains and steal **authentication t...
Code of conduct-themed Microsoft AiTM phishing campaign
CampaignAbout this happening: A **large-scale phishing campaign** used code of conduct-themed lures and **legitimate email services** to push victims to attacker-controlled domains and steal **authentication t...
BlackFile vishing extortion campaign targeting retail and hospitality organizations
Campaign
First: 24.04.2026 21:26
Last: 24.04.2026 21:26
Sources 1
About this happening:
The **BlackFile** campaign is driving **vishing-based data theft and extortion** against **retail and hospitality organizations**, putting employee credentials and enterprise data...
BlackFile vishing extortion campaign targeting retail and hospitality organizations
CampaignAbout this happening: The **BlackFile** campaign is driving **vishing-based data theft and extortion** against **retail and hospitality organizations**, putting employee credentials and enterprise data...
W3LL Microsoft 365 adversary-in-the-middle phishing campaign
Campaign
First: 13.04.2026 21:55
Last: 13.04.2026 21:55
Sources 1
About this happening:
The **W3LL** phishing operation turned into a high-volume **Microsoft 365** credential-theft campaign, exposing **more than 17,000 victims worldwide** to **BEC** risk. The kit use...
W3LL Microsoft 365 adversary-in-the-middle phishing campaign
CampaignAbout this happening: The **W3LL** phishing operation turned into a high-volume **Microsoft 365** credential-theft campaign, exposing **more than 17,000 victims worldwide** to **BEC** risk. The kit use...
FBI-led takedown of W3LL phishing network
Law Enforcement
First: 13.04.2026 13:35
Last: 13.04.2026 13:35
Sources 1
About this happening:
**FBI Atlanta** and **US and Indonesian law enforcement** took down the **W3LL** phishing network, escalating a cross-border cybercrime case tied to **more than $20 million in fra...
FBI-led takedown of W3LL phishing network
Law EnforcementAbout this happening: **FBI Atlanta** and **US and Indonesian law enforcement** took down the **W3LL** phishing network, escalating a cross-border cybercrime case tied to **more than $20 million in fra...
UNC6783 BPO compromise campaign targeting downstream companies
Campaign
First: 09.04.2026 00:46
Last: 09.04.2026 00:46
Sources 1
About this happening:
**UNC6783** is an active **BPO compromise campaign** targeting **business process outsourcers** and large enterprises to reach downstream environments for **extortion**. The opera...
UNC6783 BPO compromise campaign targeting downstream companies
CampaignAbout this happening: **UNC6783** is an active **BPO compromise campaign** targeting **business process outsourcers** and large enterprises to reach downstream environments for **extortion**. The opera...
Timeline
-
17.09.2025 07:31 2 articles · 8mo ago
Court-ordered seizure of RaccoonO365 domains begins
Legal Policy Action UpdateMicrosoft's Digital Crimes Unit and Cloudflare began a court-backed disruption of RaccoonO365 infrastructure, using a Southern District of New York order to seize 338 websites associated with the phishing-as-a-service operation. The coordinated action also banned identified domains, placed interstitial phish warning pages in front of them, terminated associated Cloudflare Workers scripts, and suspended user accounts to cut off access to victims and disrupt credential theft.
Show sources
- RaccoonO365 Phishing Network Shut Down After Microsoft and Cloudflare Disrupt 338 Domains — thehackernews.com — 17.09.2025 07:31
- Nigeria Arrests RaccoonO365 Phishing Developer Linked to Microsoft 365 Attacks — thehackernews.com — 19.12.2025 12:26
-
17.09.2025 07:31 1 articles · 8mo ago
RaccoonO365 takedown completes
Legal Policy Action UpdateThe coordinated disruption of RaccoonO365 infrastructure was completed after additional actions on September 3 and September 4, ending the staged takedown that began on September 2, 2025. The completed operation left the phishing service unable to use the seized infrastructure to support credential-harvesting activity that had targeted Microsoft 365 users across multiple countries.
Show sources
- RaccoonO365 Phishing Network Shut Down After Microsoft and Cloudflare Disrupt 338 Domains — thehackernews.com — 17.09.2025 07:31
-
17.09.2025 07:31 3 articles · 8mo ago
Public disclosure of the RaccoonO365 takedown
Initial DisclosureMicrosoft and Cloudflare publicly disclosed the disruption of RaccoonO365, describing a phishing-as-a-service operation that had stolen more than 5,000 Microsoft 365 credentials from 94 countries since July 2024. The disclosure also tied the activity to Storm-2246, noted the use of Cloudflare Turnstile and Cloudflare Workers for bot resistance on phishing pages, and identified Joshua Ogundipe as the assessed mastermind behind the service.
Show sources
- RaccoonO365 Phishing Network Shut Down After Microsoft and Cloudflare Disrupt 338 Domains — thehackernews.com — 17.09.2025 07:31
- RaccoonO365 Phishing Network Shut Down After Microsoft and Cloudflare Disrupt 338 Domains — thehackernews.com — 17.09.2025 07:31
- Microsoft Disrupts 'RaccoonO365' Phishing Service — www.darkreading.com — 17.09.2025 22:44