Microsoft Seizes Sites Used by Popular Phishing Operation to Attack Healthcare Orgs
Microsoft has announced the seizure of hundreds of websites used by a popular phishing-as-a-service (PhaaS) operation that targets Microsoft 365 credentials. The operation’s phishing kits have been used to steal at least 5,000 usernames and passwords, including the Microsoft 365 credentials of at least 20 U.S. healthcare organizations.
According to the Microsoft Digital Crimes Unit (DCU), RaccoonO365 is the fastest-growing tool used by cybercriminals to steal Microsoft 365 usernames and passwords. The PhaaS operation provides subscription-based phishing kits, which generate phishing emails mimicking official communications from Microsoft. The emails direct victims to websites that trick victims into disclosing their Microsoft 365 credentials. The phishing kits lower the barrier to conducting phishing campaigns and can be used by even low-skilled individuals to steal credentials.
RaccoonO365 has been offering phishing kits to cybercriminals since at least July 2024. Subscribers are able to use the infrastructure to send up to 9,000 phishing emails per day. A 30-day subscription costs less than $12 per day, and under $10 per day for a 60-day subscription. The phishing kits utilize sophisticated techniques to steal credentials and bypass multi-factor authentication. Recently, RaccoonO365 added a new service that utilizes AI to scale operations and increase the sophistication and effectiveness of phishing campaigns.
The stolen credentials can provide access to accounts and sensitive data; however, they are commonly used to gain a foothold to launch more comprehensive attacks on victims, often leading to malware and ransomware downloads. The attacks have resulted in significant financial losses for healthcare providers and have disrupted critical patient care, putting patients at risk of harm. In addition to the attacks on healthcare organizations, RaccoonO365’s phishing kits were used for an extensive tax-themed phishing campaign that targeted more than 2,300 U.S. organizations worldwide.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
MCU identified the leader of the operation, Joshua Ogundipe, who resides in Benin City in Nigeria. Ogundipe has a background in computer programming and is believed to have authored the bulk of the code for the phishing kits. Ogundipe was identified following a security lapse, which allowed MCU to identify a secret cryptocurrency wallet used by Ogundipe. Ogundipe, along with his associates, marketed and sold the RaccoonO365 phishing kits on Telegram and collected more than $100,000 in subscription payments. MCU estimates that between 100 and 200 subscriptions were sold, although that range is likely to be underestimated. Based on that range, subscribers could send between 900,000 and 1.8 million phishing emails per day. MCU’s intelligence has been shared with international law enforcement
Microsoft and Health-ISAC filed a lawsuit in the U.S. District Court for the Southern District of New York against Ogundipe and four John Doe conspirators seeking recovery of damages and the seizure of domains used by the operation. The allegations against the defendants include violations of the Computer Fraud and Abuse Act, Racketeer Influenced and Corrupt Organizations (RICO) Act, and the Electronic Communications Privacy Act.
The DCU investigation identified 338 sites used by the operation, which were seized after a court order was granted. Cloudflare assisted with the seizure of the domains. The domain seizures have caused considerable disruption to RaccoonO365’s operation. “To counter RaccoonO365, we acted swiftly to protect our customers and prevent further harm. But criminals constantly evolve, so Microsoft is evolving too,” explained Steven Masada, Assistant General Counsel and Director of Microsoft’s Digital Crimes Unit. “For instance, we are integrating blockchain analysis tools like Chainalysis Reactor into our investigations. These help us trace criminals’ cryptocurrency transactions, linking online activity to real identities for stronger evidence.
