CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines, daily updates. Fast, privacy‑respecting. No ads, no tracking.

RaccoonO365 Phishing Network Disrupted by Microsoft and Cloudflare

First reported
Last updated
3 unique sources, 3 articles

Summary

Hide ▲

The RaccoonO365 phishing network, a financially motivated threat group, was disrupted by Microsoft's Digital Crimes Unit (DCU) and Cloudflare. The operation, executed through a court order in the Southern District of New York, seized 338 domains used by the group since July 2024. The network targeted over 2,300 organizations in 94 countries, including at least 20 U.S. healthcare entities, and stole over 5,000 Microsoft 365 credentials. The RaccoonO365 network operated as a phishing-as-a-service (PhaaS) toolkit, marketed to cybercriminals via a subscription model on a private Telegram channel. The group used legitimate tools like Cloudflare Turnstile and Workers scripts to protect their phishing pages, making detection more challenging. The mastermind behind RaccoonO365 is believed to be Joshua Ogundipe, who received over $100,000 in cryptocurrency payments. The group is also suspected to collaborate with Russian-speaking cybercriminals. Cloudflare executed a three-day 'rugpull' against RaccoonO365, banning all identified domains, placing interstitial 'phish warning' pages, terminating associated Workers scripts, and suspending user accounts to prevent re-registration.

Timeline

  1. 17.09.2025 07:31 3 articles · 12d ago

    RaccoonO365 Phishing Network Disrupted by Microsoft and Cloudflare

    RaccoonO365 phishing kits were advertised with an annual subscription fee of $600, as well as discounted options for 30- and 60-day licenses. RaccoonO365 advertised a new AI-powered service titled 'RaccoonO365 AI-MailCheck'. RaccoonO365 phishing emails impersonated trusted brands or organizations within the targeted company, using familiar workplace themes to exploit trust and create urgency. RaccoonO365 phishing emails incorporated the recipient's name into links or attachments to enhance credibility. RaccoonO365 used file names designed to mimic routine communications, such as finance or HR documents, policy agreements, contracts, and invoices. Cloudflare executed a three-day 'rugpull' against RaccoonO365, banning all identified domains, placing interstitial 'phish warning' pages, terminating associated Workers scripts, and suspending user accounts to prevent re-registration.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

TA558 Uses AI-Generated Scripts to Deliver Venom RAT in Brazil Hotel Attacks

TA558, tracked as RevengeHotels, has launched new attacks targeting hotels in Brazil and Spanish-speaking markets. The group uses AI-generated scripts to deploy Venom RAT via phishing emails. The campaign aims to capture credit card data from guests and travelers. The threat actor has been active since 2015, focusing on hospitality and travel sectors. They have historically used various RATs and custom malware to achieve their goals. The latest campaign involves phishing emails with Portuguese and Spanish lures, leading to the download of malicious scripts and payloads. Venom RAT, based on Quasar RAT, includes features like data exfiltration, reverse proxy, and anti-kill mechanisms. It spreads via USB drives and disables Microsoft Defender Antivirus.

Open in new tab

Insight Partners Ransomware Breach Affects 12,657 Individuals

Insight Partners, a New York-based venture capital and private equity firm, has notified 12,657 individuals that their personal information was compromised in a ransomware attack. The breach, which occurred in October 2024, involved a sophisticated social engineering attack that allowed threat actors to access and encrypt servers. The stolen data includes banking and tax information, personal details of current and former employees, and information related to limited partners, funds, and portfolio companies. The company has offered complimentary credit or identity monitoring services to those affected and has filed breach notifications with state attorneys general. The incident highlights the ongoing risk of social engineering attacks and the potential for significant data exfiltration in ransomware breaches.

Open in new tab

SlopAds Fraud Ring Exploits 224 Android Apps for Ad Fraud

A sophisticated ad fraud operation, SlopAds, exploited 224 Android apps to generate 2.3 billion daily ad bids. The apps, downloaded 38 million times across 228 countries, used steganography and hidden WebViews to create fraudulent ad impressions and clicks. The fraud was conditional, activating only if the app was installed via an ad click. Google removed the offending apps from the Play Store and updated Google Play Protect to warn users. The operation leveraged AI-themed services and a complex command-and-control infrastructure. The fraudulent behavior was designed to evade detection by blending malicious traffic into legitimate campaign data. The SlopAds campaign was discovered by HUMAN's Satori Threat Intelligence team, which identified the apps as 'AI slop' due to their mass-produced appearance and AI-themed services. The apps used Firebase Remote Config to download an encrypted configuration file containing URLs for the ad fraud malware module, cashout servers, and a JavaScript payload. The campaign included numerous command-and-control servers and more than 300 related promotional domains, suggesting the threat actors planned further expansion.

Open in new tab

FinWise insider breach exposes 689K American First Finance customers' data

A former employee of FinWise Bank accessed sensitive customer files after the end of their employment, impacting 689,000 American First Finance (AFF) customers. The breach involved personal data, including full names. FinWise has strengthened internal controls and is offering credit monitoring services to affected individuals. The breach occurred on May 31, 2024, and was disclosed in September 2025. The incident has led to multiple class-action lawsuits. FinWise Bank partners with AFF to originate and fund loans. The breach was discovered and investigated with the help of external cybersecurity professionals. The exact methods of unauthorized access and the full extent of the exposed data remain undisclosed.

Open in new tab

Increased Browser-Based Attacks Targeting Business Applications

Browser-based attacks targeting business applications have surged, exploiting modern work practices and decentralized internet apps. These attacks, including phishing, malicious OAuth integrations, and browser extensions, compromise business apps and data by targeting users. The attacks leverage various delivery channels and evasion techniques, making them difficult to detect and block. Phishing attacks have evolved to use non-email channels such as social media, instant messaging apps, and malicious search engine ads. These attacks often bypass traditional email security controls and are harder to detect. Attackers exploit the decentralized nature of modern work environments, targeting users across multiple apps and communication channels. Non-email phishing attacks can result in significant breaches, as seen in the 2023 Okta breach. The rise in these attacks highlights the need for enhanced browser security measures and better visibility into user activities within the browser.

Open in new tab