Skip to main content
close search
site logo

Microsoft disrupts global phishing campaign that led to widespread credential theft

Officials say the operation led to ransomware and BEC attacks on U.S. hospitals and healthcare organizations.

Published Sept. 17, 2025
David Jones's headshot
Reporter
The Microsoft logo is seen at an Experience Center on Fifth Avenue on April 03, 2024 in New York City.
The Microsoft logo is seen at an Experience Center on Fifth Avenue on April 3, 2024, in New York City. The company helped disrupt a global phishing-as-a-service operation that has been linked to attacks against U.S. healthcare organizations. Michael M. Santiago via Getty Images

Microsoft on Tuesday announced that it had dismantled the infrastructure behind a major phishing-as-a-service operation that had powered attacks on healthcare organizations around the world.

The operation, which Microsoft dubbed “Raccoon0365,” sold subscription-based phishing kits that allowed unsophisticated cybercriminals to steal Microsoft 365 account usernames and passwords, the company said in a blog post. It estimated that hackers used Raccoon0365 phishing kits to steal approximately 5,000 credentials from users in 94 different countries since July 2024. 

Microsoft seized 338 of Raccoon0365’s web domains after obtaining permission from a federal judge in the Southern District of New York.

Raccoon0365 sold its phishing kits on a Telegram channel through subscriptions ranging from 30 to 90 days, according to Cloudflare, which worked with Microsoft on the operation to disrupt the service. Cyber criminals used the kits to target more than 2,300 organizations in the U.S. in a wide variety of industries. Many attacks sought to steal credentials and deploy malware during tax filing season, Microsoft said. 

Microsoft told the court that it had conducted four separate “test buys” in which employees purchased phishing kits from Raccoon0365 and learned key details about how the operation worked. 

The phishing operation has at least 850 members on its Telegram channel and has received more than $100,000 in cryptocurrency payments, Microsoft said. The alleged head of the operation is Joseph Ogundipe, a Nigerian-based man with a computer programming background, according to the company’s court filings.  

Microsoft said it had made a criminal referral to international law-enforcement agencies. A spokesperson for the FBI did not immediately respond to a request for comment. 

Raccoon0365’s services significantly hurt U.S. healthcare organizations, according to Microsoft. The phishing kits allowed hackers to breach at least 20 American hospitals, the company said, and in many cases the social-engineering tactics led to the deployment of ransomware and other malicious code. 

The impact on the healthcare sector was so serious that Health-ISAC signed onto Microsoft’s lawsuit in support of its bid to seize Raccoon0365’s web domains. The ISAC said it joined the suit in order to mitigate Raccoon0365’s threat to healthcare organizations.

Editors' picks

Company Announcements

View all | Post a press release
BeyondTrust Delivers Identity Security Controls for AI, Turning Agent Visibility into Action
From BeyondTrust
September 16, 2025
BeyondTrust logo
UserTesting Releases UserTesting Verified™, a New AI-Driven Fraud Prevention Capability to Hel…
From UserTesting
September 17, 2025
ChatGPT Exploited in North Korean Cyber Espionage Campaign, Genians Reveals
From Genians
September 16, 2025
Genians logo
Appknox Launches KnoxSpy, Breaking Open MDM-Locked Mobile Traffic for Real-Time Security Testi…
From Appknox
September 16, 2025
Appknox logo
Editors' picks
Latest in Strategy
Industry Dive is an Informa TechTarget business.
© 2025 TechTarget, Inc. or its subsidiaries. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell
This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world's technology buyers and sellers. All copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.'s registered office is 275 Grove St. Newton, MA 02466.