Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

RaccoonO365 tax-themed phishing campaign targeting U.S. organizations

Campaign
First reported
Last updated
Happening score
H score 36
1 unique sources, 1 articles

Summary

Hide ▲

A large-scale RaccoonO365 phishing campaign targeted over 2,300 U.S. organizations in April 2025, widening the operation's reach and increasing credential-theft risk for healthcare organizations. The same phishing kits were also used against more than 20 U.S. healthcare organizations. The campaign matters because it fed a broader phishing service that stole Microsoft 365 credentials and enabled follow-on abuse.

Related Happenings

Code of conduct-themed Microsoft AiTM phishing campaign

Campaign
First: 05.05.2026 09:35 Last: 05.05.2026 09:35 Sources 1

About this happening: A **large-scale phishing campaign** used code of conduct-themed lures and **legitimate email services** to push victims to attacker-controlled domains and steal **authentication t...

Open Happening

QR code phishing surged across email threats in Q1 2026

Target Trend
First: 05.05.2026 09:35 Last: 05.05.2026 09:35 Sources 1

About this happening: **Q1 2026** email-threat telemetry shows **QR code phishing** and **CAPTCHA-gated phishing** rising quickly, increasing the risk of **credential theft** across **organizations**....

Open Happening

W3LL Microsoft 365 adversary-in-the-middle phishing campaign

Campaign
First: 13.04.2026 21:55 Last: 13.04.2026 21:55 Sources 1

About this happening: The **W3LL** phishing operation turned into a high-volume **Microsoft 365** credential-theft campaign, exposing **more than 17,000 victims worldwide** to **BEC** risk. The kit use...

Open Happening

FBI-led takedown of W3LL phishing network

Law Enforcement
First: 13.04.2026 13:35 Last: 13.04.2026 13:35 Sources 1

About this happening: **FBI Atlanta** and **US and Indonesian law enforcement** took down the **W3LL** phishing network, escalating a cross-border cybercrime case tied to **more than $20 million in fra...

Open Happening

OAuth device-code phishing campaign targeting SaaS accounts

Campaign
First: 04.04.2026 17:17 Last: 04.04.2026 17:17 Sources 1

About this happening: A **device code phishing** campaign now includes **EvilTokens**, a **phishing-as-a-service** kit sold on **Telegram** that uses the **OAuth 2.0 device authorization flow** to hija...

Open Happening

Timeline

  1. 17.09.2025 16:20 2 articles · 8mo ago

    Microsoft and Cloudflare disclose RaccoonO365 disruption

    Initial Disclosure

    Microsoft and Cloudflare disclosed that they disrupted RaccoonO365, a Phishing-as-a-Service operation tracked by Microsoft as Storm-2246, by seizing 338 websites and Worker accounts linked to the service. The operation had stolen at least 5,000 Microsoft credentials from 94 countries since at least July 2024, used RaccoonO365 phishing kits with CAPTCHA pages and anti-bot techniques, ran a tax-themed phishing campaign against over 2,300 organizations in the United States in April 2025, and was also deployed against more than 20 U.S. healthcare organizations. Microsoft also identified Joshua Ogundipe as the leader of RaccoonO365 and said the group received at least $100,000 in cryptocurrency payments.

    Show sources
    Open in new tab