Microsoft and Cloudflare dealt a major blow against RaccoonO365, a subscription-based phishing-as-a-service (PhaaS) platform that has fueled thousands of credential theft campaigns since mid-2024. In a joint operation announced this week, Microsoft seized 338 domains tied to the network, while Cloudflare moved to dismantle its proxy infrastructure and Worker accounts—actions that together have forced the service offline.
What RaccoonO365 Was Selling
RaccoonO365 wasn’t just another phishing kit—it was a subscription model designed to make phishing almost effortless. By paying for access, customers could instantly deploy polished phishing pages that convincingly imitated Microsoft 365 login portals, HR notices, or tax forms. The service also came with backend infrastructure to handle stolen credentials and session cookies, making it a full end-to-end solution for cybercriminals.
That “as-a-service” element is what made it dangerous. Unlike bespoke phishing campaigns that required technical chops, RaccoonO365’s kits were plug-and-play. Even a novice could subscribe, configure a campaign with pre-made lures, and start harvesting usernames and passwords in minutes. In effect, it turned phishing into a commodity market.
The Global Impact
The numbers tell the story. Since July 2024, RaccoonO365 kits have been used to steal at least 5,000 Microsoft credentials across 94 countries. Campaigns were broad and opportunistic. One of the most significant was a tax-themed phishing wave that targeted over 2,300 U.S. organizations by impersonating tax authorities, Microsoft said. Healthcare was another major vertical. At least 20 U.S. healthcare providers were hit, exposing sensitive patient and corporate data to potential compromise.
The service’s kits also came with technical features that made them harder to detect and take down. Operators built in browser fingerprinting, CAPTCHA challenges, and scripts to block developer tools. Stolen cookies could be replayed to bypass multi-factor authentication, giving attackers persistence inside corporate accounts.
How the Disruption Happened
The takedown was a two-pronged effort. Microsoft, after filing a civil lawsuit in late August, obtained authorization to seize 338 domains directly tied to RaccoonO365. These domains hosted the fake login portals and were essential for tricking victims into handing over credentials.
At the same time, Cloudflare went after the infrastructure that allowed those portals to thrive. By disabling hundreds of Worker accounts and related proxy services, Cloudflare shut down the actor’s ability to mask backend servers and rotate domains. This marked a strategic change in approach: instead of whack-a-mole takedowns of single sites, Cloudflare targeted the backbone that kept the operation agile.
Cloudflare put it bluntly: by raising RaccoonO365’s operational costs, they’ve made the free tier “too expensive” for cybercriminals.
A Familiar Pattern in Cybercrime
The RaccoonO365 takedown echoes past disruptions against other phishing-as-a-service ecosystems. In 2021, researchers exposed BulletProofLink, another subscription-based kit operation that offered custom templates and hosting to customers. In 2023, the 16Shop platform was taken down in a global operation after targeting PayPal, Apple, and Amazon users.
The trend is clear. Phishing has gone professional. Services like RaccoonO365 cater to a marketplace of buyers, some of whom are small-time scammers while others may be part of larger organized groups. This professionalization means phishing scales faster, spreads wider, and adapts quickly when infrastructure is taken down.
The numbers from Microsoft and Cloudflare show just how global these schemes have become. With victims in nearly 100 countries and verticals ranging from finance to healthcare, RaccoonO365 had the reach of a multinational enterprise—except its product was stolen credentials.
What Matters
Credential theft remains one of the most common entry points for attacks like business email compromise (BEC) and ransomware. Phishing-as-a-service accelerates that risk because it industrializes the process. A hospital IT manager or a finance team in a small business might not be directly aware of RaccoonO365, but the phishing email in their inbox could very well have been generated by it.
By seizing domains and dismantling infrastructure, Microsoft and Cloudflare have temporarily blunted a major source of credential theft. But history suggests that such services often re-emerge under new branding or infrastructure. The success of the takedown lies less in eliminating the threat entirely and more in raising costs and buying defenders time.
The Bigger Picture
Phishing may seem like old news compared to ransomware or nation-state espionage, but its persistence is telling. Social engineering remains one of the most effective tools for attackers because it targets the human layer of security. RaccoonO365 thrived because it removed friction for cybercriminals and played on trust in familiar brands like Microsoft.
The collaboration between Microsoft and Cloudflare shows the growing role of private sector alliances in tackling cybercrime infrastructure. Law enforcement wasn’t central to this takedown—cloud providers and platform owners took matters into their own hands, leveraging legal and technical measures to directly disrupt criminal supply chains.
Whether RaccoonO365’s operators attempt a comeback remains to be seen. But the message was straight-forward. The ecosystem that supports phishing as a service is in the crosshairs, and tech giants are increasingly willing to act when their platforms are abused at scale.
