The group sold subscription-based phishing kits that enabled low-skilled attackers to impersonate trusted brands like DocuSign, SharePoint, Adobe, and Maersk, effectively bypassing multi-factor authentication to steal credentials and cookies.

This scheme posed serious risks to public safety, causing delays in tax processing, breaching patient data, and leading to financial losses across various sectors.

Since its launch in July 2024, RaccoonO365 generated at least $100,000 in cryptocurrency payments, with Nigeria-based Joshua Ogundipe identified as the main operator.

Despite law enforcement takedowns, the group continues to evolve, recently adding AI-MailCheck to improve attack effectiveness, indicating ongoing operations.

The malware was sold in a Telegram group, with profits reaching approximately $100,000, and sellers providing customer support to facilitate continued use.

In September 2025, Microsoft and Cloudflare successfully seized 338 domains used by RaccoonO365, a phishing-as-a-service group responsible for stealing over 5,000 Microsoft 365 credentials across 94 countries since July 2024.

RaccoonO365 operated via a Telegram channel with over 850 members, offering tools to create realistic fake emails, attachments, and phishing websites that required minimal technical skills.

The operation targeted at least 20 US healthcare organizations and other entities, with malware and ransomware threats risking public safety, and rental prices for the service ranged from $355 to $999 for periods of 30 to 90 days.

Following the takedown, the threat group announced plans to phase out legacy links, offer subscription upgrades, and continue activities, with Cloudflare shifting from reactive to proactive disruption strategies.

A major phishing campaign in April 2025 targeted over 2,300 US organizations, including healthcare providers, leading to credential theft used in fraud, extortion, and further cyberattacks.

The campaign's success highlighted the threat posed to critical sectors, especially healthcare, with stolen credentials enabling persistent access and potential further malicious activities.

Law enforcement identified Nigerian national Joshua Ogundipe as the leader of RaccoonO365, who managed the operation's code, sales, support, and used fake domains to evade detection, with his cryptocurrency wallet exposing his identity.