CyberHappenings logo
☰
🏠 Home πŸ“‚ Browse ℹ️ About

Track cybersecurity events as they unfold. Sourced timelines, daily updates. Fast, privacy‑respecting. No ads, no tracking.

RaccoonO365 Phishing-as-a-Service Infrastructure Disrupted

First reported
Last updated
πŸ“° 2 unique sources, 2 articles

Summary

Hide β–²

Microsoft and Cloudflare disrupted the RaccoonO365 phishing-as-a-service (PhaaS) network, seizing 338 domains used by the threat group Storm-2246. The operation targeted over 5,000 Microsoft 365 credentials from 94 countries since July 2024. The group, led by Joshua Ogundipe, used Cloudflare services to protect phishing pages, making detection more challenging. The disruption began on September 2, 2025, and involved banning domains, placing warning pages, and terminating associated scripts. The group targeted over 2,300 organizations in the U.S., including healthcare entities, and offered AI-powered services to enhance phishing attacks. The stolen credentials, cookies, and other data were used in financial fraud attempts, extortion attacks, or as initial access to other victims' systems. RaccoonO365 phishing emails are often a precursor to malware and ransomware, which have severe consequences for hospitals.

Timeline

  1. 17.09.2025 16:20 πŸ“° 1 articles Β· ⏱ 5h ago

    RaccoonO365 subscription-based phishing kits offered on Telegram

    RaccoonO365 has been renting subscription-based phishing kits through a private Telegram channel, which had over 840 members as of August 25, 2025. The prices ranged from $355 for a 30-day plan to $999 for a 90-day subscription, all paid in USDT (TRC20, BEP20, Polygon) or Bitcoin (BTC) cryptocurrency. Microsoft estimated that the group has received at least $100,000 in cryptocurrency payments so far, suggesting there are approximately 100 to 200 subscriptions. Cloudflare believes that RaccoonO365 also collaborates with Russian-speaking cybercriminals, given the use of Russian in its Telegram bot's name.

    Show sources
    Open in new tab
  2. 17.09.2025 07:31 πŸ“° 2 articles Β· ⏱ 13h ago

    Microsoft and Cloudflare disrupt RaccoonO365 phishing network

    The operation involved seizing 338 websites and Worker accounts linked to RaccoonO365. The phishing kits bundled CAPTCHA pages and anti-bot techniques to appear legitimate and evade analysis. The stolen credentials, cookies, and other data were used in financial fraud attempts, extortion attacks, or as initial access to other victims' systems. The group targeted over 2,300 organizations in the U.S., including healthcare entities, and offered AI-powered services to enhance phishing attacks. The disruption has led to a criminal referral for the mastermind, Joshua Ogundipe, to international law enforcement.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

VoidProxy phishing service targets Microsoft 365 and Google accounts

A new phishing-as-a-service (PhaaS) platform, VoidProxy, targets Microsoft 365 and Google accounts, including those protected by third-party SSO providers like Okta. The platform uses adversary-in-the-middle (AitM) tactics to steal credentials, multi-factor authentication (MFA) codes, and session cookies in real-time. The attack begins with emails from compromised accounts at email service providers, directing recipients to phishing sites through multiple redirections. The malicious sites are hosted on disposable domains protected by Cloudflare. VoidProxy's AitM tactics allow it to intercept and relay traffic between the victim and legitimate services, capturing sensitive information. Users with phishing-resistant authentications like Okta FastPass are protected from these attacks. The platform was discovered by Okta Threat Intelligence researchers, who describe it as scalable, evasive, and sophisticated.

Open in new tab

Microsoft's RC4 Encryption Vulnerability Exploited in Black Basta Ransomware Attack on Ascension

U.S. Senator Ron Wyden has called for an FTC investigation into Microsoft's cybersecurity practices, citing the company's support for RC4 encryption and insecure default settings that facilitated a ransomware attack on the Ascension healthcare network. The attack, attributed to the Black Basta ransomware group, compromised nearly 5.6 million individuals' personal and medical information. The breach occurred when a contractor's system was infected via a malicious link on Microsoft's Bing search engine. Attackers exploited insecure default settings and Kerberoasting techniques to gain elevated access to Ascension's network. Microsoft has acknowledged the vulnerabilities and plans to deprecate RC4 support in future updates. Wyden has criticized Microsoft for not clearly warning customers about the risks associated with RC4 encryption and for not taking decisive action to mitigate security risks.

Open in new tab

Akira Ransomware Group Exploits SonicWall SSL VPN Flaws

The Akira ransomware group has been actively exploiting SonicWall SSL VPN flaws and misconfigurations to gain initial access to networks. This campaign has seen increased activity since late July 2025, targeting SonicWall devices to facilitate ransomware operations. The group leverages a combination of security vulnerabilities, including a year-old flaw (CVE-2024-40766) and misconfigured LDAP settings, to bypass access controls and infiltrate networks. Organizations are advised to rotate passwords, remove unused accounts, enable multi-factor authentication, and restrict access to the Virtual Office Portal to mitigate risks. The Australian Cyber Security Centre (ACSC) has acknowledged Akira's targeting of SonicWall SSL VPNs and issued alerts about the increased exploitation of CVE-2024-40766.

Open in new tab

Scattered Spider Social Engineering Attack on Clorox via Cognizant Service Desk

In August 2023, the Scattered Spider group exploited human fallibility to hack Clorox by repeatedly calling the service desk run by Cognizant. The attackers impersonated locked-out employees and requested password and MFA resets without proper verification. This led to domain-admin access and significant financial damage, including $380 million in losses due to operational paralysis and data loss. The attack highlights the risks of weak verification processes in outsourced service desks. The attackers successfully obtained repeated resets by mimicking legitimate user behavior and pressuring service desk agents to skip security protocols. The impact included production system outages, manufacturing pauses, manual order processing, and shipment delays, resulting in substantial business-interruption losses and remedial costs. The incident underscores the importance of robust caller verification and enforcement of security protocols in third-party service desks to prevent similar attacks.

Open in new tab

Axios and Microsoft Direct Send Abused in Advanced Phishing Campaigns

Threat actors are abusing HTTP client tools like Axios and Microsoft's Direct Send feature to conduct highly efficient phishing campaigns. These attacks target Microsoft 365 environments, achieving a 70% success rate. The campaign began in July 2025, initially focusing on executives and managers in finance, healthcare, and manufacturing sectors before expanding to all users. The attacks use compensation-themed lures and malicious QR codes to steal credentials. Axios is used to intercept, modify, and replay HTTP requests, bypassing multi-factor authentication (MFA) and hijacking session tokens. The phishing kits also employ advanced evasion tactics, including geofencing and IP filtering, to avoid detection. Organizations are advised to secure Direct Send, configure anti-spoofing policies, and train employees to recognize phishing attempts.

Open in new tab