Coordinated action dismantles Phishing-as-a-Service network stealing Microsoft 365 credentials across 94 countries
Cloudflare has announced its participation in a global operation with Microsoft and U.S. law enforcement to disrupt RaccoonO365, a criminal Phishing-as-a-Service (PhaaS) network responsible for large-scale credential theft from Microsoft 365 users.
RaccoonO365 sold subscription-based phishing kits via Telegram, enabling cybercriminals to launch attacks that harvested login details, cookies, and data from OneDrive, SharePoint, and email. Since July 2024, these kits have been used to steal at least 5,000 credentials across 94 countries, with criminals paying up to $999 for a 90-day plan.
In early September 2025, Cloudflare executed a coordinated takedown of hundreds of domains and Worker accounts linked to the group, evolving from reactive, single-domain mitigation to a proactive, infrastructure-wide “rugpull.” This disruption complemented Microsoft’s legal action that seized 338 domains tied to the group.
“By working with Microsoft and law enforcement, we’ve raised the cost of cybercrime for groups like RaccoonO365,” said a Cloudflare spokesperson. “This operation sends a clear message—abusing cloud platforms to run phishing campaigns will be disrupted at scale.”
The takedown aims to permanently dismantle RaccoonO365’s operations and limit its ability to enable financial fraud, extortion, and ransomware.
