Microsoft and Cloudflare Disrupt RaccoonO365 Phishing-as-a-Service That Stole Thousands of Microsoft 365 Credentials

Incident summary

Microsoft and Cloudflare have jointly disrupted a large-scale Phishing-as-a-Service (PhaaS) operation known as RaccoonO365. According to reporting, the service enabled cybercriminals to run tailored Microsoft 365 credential-harvesting campaigns and helped steal thousands of Microsoft 365 credentials. The action targeted the infrastructure and access that the criminal service relied on, reducing its ability to support ongoing phishing operations.

Background and context: why this matters

Phishing remains one of the most effective and persistent attack vectors against enterprise cloud services. Microsoft 365 is a high-value target because a compromised account can provide access to email, documents, collaboration tools, and identity services that attackers exploit for data theft, fraud and business email compromise (BEC).

Phishing-as-a-Service is a commercialized criminal model that packages phishing templates, hosting, landing-page generation, and management dashboards so low-skilled actors can run scalable campaigns. PhaaS lowers the technical barrier and accelerates the volume and sophistication of attacks, which increases exposure for organizations of all sizes.

Disrupting a PhaaS operation such as RaccoonO365 is therefore consequential: it removes a turnkey capability from the threat ecosystem, raises the operational cost for criminals, and protects potential victims in the short term. At the same time, takedowns are rarely permanent solutions; new services or rebranded variants often appear, and existing access obtained by attackers — stolen credentials, active sessions, OAuth tokens — remain a risk until remediated by affected organizations.

How RaccoonO365 and similar PhaaS operations typically work

While details specific to RaccoonO365 vary with each campaign, the PhaaS model shares common mechanics that defenders should understand:

• Phishing templates: Professional-looking landing pages mimic Microsoft 365 sign-in and notification pages. Templates are often updated to evade detection and to support multiple languages and branding variants.
• Hosting and delivery: Services provide hosting for phishing pages, short-lived domains, URL redirection and mass-email delivery tools. This reduces the setup burden for attackers and improves scale.
• Data capture and management: Dashboards collect harvested credentials, session cookies, and device metadata. Operators can resell harvested data or offer subscription access to other criminals.
• Credential monetization: Stolen credentials are used for account takeovers, sold to other actors, or used as beachheads for further compromise (email forwarding rules, lateral movement, fraud).

Because PhaaS consolidates these components, a single disruption of infrastructure or provider cooperation can substantially degrade an operation’s effectiveness — the principle behind the Microsoft and Cloudflare action.

Expert analysis and guidance for practitioners

For security teams and administrators, the RaccoonO365 disruption highlights immediate and ongoing priorities. The following recommendations are practical, defensible, and aligned with established best practices for Microsoft 365 environments.

• Assume compromise and hunt for active abuse.
  • Search audit logs for unusual sign-ins, new inbox forwarding rules, changes to mailbox delegates and role assignments.
  • Look for sign-ins from unexpected locations, unfamiliar devices, or tokens issued to third-party apps via OAuth consents.
  • Review conditional access and risky sign-in reports for anomalies following known campaign windows.
• Reset credentials and revoke sessions where appropriate.
  • Enforce password resets for accounts with suspicious activity and rotate any compromised service credentials.
  • Revoke refresh tokens and active sessions for accounts believed to be exposed to reduce persistent access.
• Enforce strong multi-factor authentication (MFA) and harden its implementation.
  • Require MFA for all users, prioritizing admins and high-risk accounts. Prefer phishing-resistant methods such as FIDO2 security keys or certificate-based authentication.
  • Block legacy authentication protocols which bypass MFA controls where possible.
• Harden identity controls and conditional access.
  • Apply conditional access policies that require compliant devices, trusted networks, or MFA for risky sign-ins.
  • Implement least privilege for admin roles and enable privileged identity management to reduce standing administrative access.
• Improve email authentication, filtering and content protections.
  • Deploy and enforce SPF, DKIM and DMARC to reduce spoofing. Monitor DMARC reports to detect abuse of your domains.
  • Use URL rewriting and Safe Links to inspect and block known malicious destinations, and enable anti-phishing features within your email gateway and Microsoft Defender for Office 365 if available.
• Operational controls and user education.
  • Run targeted phishing simulations and timely awareness training to reduce click-through rates and credential disclosure.
  • Maintain incident response playbooks that include steps for communicator notification, credential resets, token revocation and forensic collection.

Comparable cases and industry trends

PhaaS operations and large-scale phishing campaigns are a recurring problem. In recent years, industry collaborations between technology companies, hosting providers and law enforcement have disrupted botnets, credential marketplaces and phishing infrastructures. These actions routinely demonstrate that removing key infrastructure elements and domain hosting can materially reduce the scale of active campaigns.

At the same time, publicly available incident reports and annual security studies consistently show phishing as a leading initial access vector for breaches. The pattern is familiar: inexpensive or free turnkey tools empower larger numbers of attackers, and successful thefts are often monetized quickly through resale, account takeover, or fraud.

Disruption operations reduce immediate risk and complicate attackers’ operations, but they do not eliminate the incentives or market demand that fuel PhaaS. Persistent defensive controls and continuous monitoring are required to defend cloud tenants.

Potential risks and long-term implications

Even after infrastructure disruption, organizations face several ongoing risks:

• Remaining exposures: Accounts whose credentials were harvested before the disruption remain vulnerable unless remediated.
• Credential reuse and lateral movement: Stolen passwords reused across services can lead to compromises beyond Microsoft 365.
• OAuth and token abuse: Harvested session cookies or granted app permissions can allow access without re-entering credentials.
• Re-emergence and fragmentation: Actors can migrate to new PhaaS offerings or split services to avoid coordinated takedowns, increasing the volume of lower-profile campaigns.

For defenders, this means takedowns are an important part of the response ecosystem but not a substitute for organizational hardening and sustained threat hunting.

Conclusion

Microsoft and Cloudflare’s disruption of the RaccoonO365 PhaaS service removed a significant phishing capability that facilitated the theft of thousands of Microsoft 365 credentials. The action demonstrates the value of industry collaboration in degrading criminal infrastructure. However, organizations must treat such disruptions as temporary reprieves: compromised credentials, tokens and misconfigurations persist unless actively remediated.

Immediate priorities for defenders are to hunt for active abuse, reset exposed credentials, revoke sessions and tokens, strengthen MFA with phishing-resistant factors, enforce conditional access and email authentication, and maintain user training and incident response readiness. Sustained investment in identity and email controls remains the most effective long-term defense against the PhaaS threat model.

Source: www.bleepingcomputer.com