Cloudflare participates in global operation to disrupt RaccoonO365

Table of contents

Overview

Executive summary

Threat actor profile: RaccoonO365

Campaign analysis & threat breakdown

Attack vector

Threat actor infrastructure & tooling

Disruption efforts

Recommendations

IOCs

Overview

In partnership with Microsoft, Cloudflare’s Cloudforce One and Trust and Safety teams successfully disrupted the Phishing-as-a-Service (PhaaS) criminal enterprise known as RaccoonO365. This report details the coordinated technical and legal action taken against a sophisticated phishing operation that targeted Microsoft 365 credentials. The RaccoonO365 group abused Cloudflare services and other infrastructure providers to try to prevent detection of their phishing kits.

Cloudflare’s response represents a strategic shift from reactive, single-domain takedowns to a proactive, large-scale disruption aimed at dismantling the actor's operational infrastructure on our platform. By taking coordinated action in early September 2025, we aim to significantly increase RaccoonO365’s operational costs and send a clear message to other malicious actors: the free tier is too expensive for criminal enterprises.

Executive summary

• Cloudflare, in partnership with Microsoft, has taken action against RaccoonO365, a criminal enterprise offering a sophisticated Phishing-as-a-Service (PhaaS) service.

• The campaign's primary attack vector was phishing kits designed to steal Microsoft 365 credentials. The kits used a simple CAPTCHA page and anti-bot techniques to evade analysis and appear legitimate to victims.

• The actor's ultimate goal was to provide subscribers with stolen credentials, cookies, and data from victim accounts (including OneDrive, SharePoint, and email), which could then enable financial fraud, extortion, or serve as initial access for larger attacks.

• In early September 2025, in a strategic effort to prevent this phishing abuse on our services, Cloudflare executed a coordinated takedown of hundreds of domains and Worker accounts associated with the actor, effectively dismantling their infrastructure on our network. This action was taken in coordination with Microsoft’s broader efforts through a civil lawsuit filed in late August.

• This report provides technical details of the actor's TTPs, our mitigation strategy, and Indicators of Compromise (IOCs) to help others defend against this and similar threats.

What is RaccoonO365?

RaccoonO365 is a financially motivated criminal enterprise operating a PhaaS model designed to broadly target Microsoft 365 users, enabling subscribers to launch their own credential harvesting campaigns. According to Microsoft, since July 2024, RaccoonO365’s kits have been used to steal at least 5,000 Microsoft credentials from 94 countries.The email messages sent to victims typically have an attachment with a link or QR Code. The malicious link leads to a page with a simple CAPTCHA. Once the CAPTCHA is solved, the user is redirected to a fake Microsoft O365 login page designed to harvest credentials. If successful, this activity is often a precursor to malware or ransomware infection.

The group sells subscriptions to its "RaccoonO365 Suite" via a private Telegram channel, which as of August 25th, 2025 had 845 members. The platform operates on a tiered pricing model with offerings structured to appeal to a range of criminals, from short-term testers to those running continuous campaigns. Plans are sold in various durations, such as a 30-day plan for $355 and a 90-day plan for $999. The service exclusively accepts cryptocurrencies, including USDT (TRC20, BEP20, Polygon) and Bitcoin (BTC).

RaccoonO365 markets criminal services with professional-looking price list and accepts payments in cryptocurrency

RaccoonO365 markets their service with claims of being a fully managed operation hosted on a "bulletproof VPS" with "zero backdoors" and "zero tracking" to assure their criminal clientele of the service's security and anonymity. They exemplify the PhaaS model by offering a comprehensive suite of tools and services that lower the barrier to entry for cybercriminals aiming to execute sophisticated phishing campaigns, including the ability to bypass multi-factor authentication (MFA).

Public-facing portal for the RaccoonO365 criminal enterprise, advertising "2FA link service" to bypass Microsoft's security measures

Microsoft identified the group's leader as Joshua Ogundipe, who is based in Nigeria, while evidence like the use of Russian in a Telegram bot's name suggests the group also collaborated with Russian-speaking cybercriminals.

Campaign analysis & threat breakdown

Attack chain

RaccoonO365’s attack chain is built for stealth, bypassing security measures and avoiding user suspicion.

1. Initial lure

RaccoonO365 employed several distinct phishing techniques. We observed multiple credential phishing campaigns that impersonated trusted brands like DocuSign, SharePoint, Adobe, and Maersk. Separately, we identified multiple PDF-based campaigns that used attachments and image-based links as the delivery vector. These attachments contained either a malicious QR code or a clickable image with an embedded link to redirect victims to the phishing pages.

RaccoonO365 phishing emails were crafted to impersonate trusted brands or organizations within the targeted company, using familiar workplace themes to exploit trust and create urgency. File names were designed to mimic routine communications—such as finance or HR documents, policy agreements, contracts, and invoices. In some cases, the emails went further, incorporating the recipient’s name into links or attachments to enhance credibility. This social engineering tactic increases the likelihood that users will click, believing the message is legitimate.

RaccoonO365 DocuSign email containing a “Review Document” button which directs the user to the phishing page.

RaccoonO365 Adobe Acrobat email containing a “View Now” button which directs the user to the phishing page.

RaccoonO365 phishing email impersonating Maersk. The PDF contains a document with an image-based link, which then directs the user to the phishing page.

PDF-based RaccoonO365 campaign where PDF contains a single, blurred image of a document. Clicking anywhere on the image redirects the user to the phishing page.

RaccoonO365 campaign with a PDF attachment containing a QR code. Scanning the code directs the user to the phishing page.

2. Human verification & detection evasion

When the target accesses the malicious link in the email, PDF, or QR code, they are redirected to a landing page protected by a simple “I'm not a robot” CAPTCHA for human verification.

Basic CAPTCHA page used by phishing kit to block automated security tools and restrict access to human targets

At this stage, RaccoonO365’s script also uses several techniques to block security researchers and automated systems, including:

• Bot detection: It runs multiple checks to identify and filter out automated traffic.

• Automation checks: It specifically looks for the presence of tools like WebDriver and analyzes the browser's user-agent.

• Browser fingerprinting: It uses advanced methods like canvas fingerprinting to identify and block analysis environments.

• Anti-analysis: It actively disables keyboard shortcuts for developer tools and deactivates the browser's console to prevent code inspection.

3. Phishing page

After passing the CAPTCHA and other criteria, the user is presented with the fraudulent Microsoft 365 login page. The RaccoonO365 platform provides tools to create convincing login pages, like the one below, that mimic Microsoft 365 services, enhancing the likelihood of credential theft.

Microsoft 365 credential harvesting page hosted on a malicious domain

Steps during this portion of the attack chain include:

• Credential and session theft: When the victim enters their credentials, the kit acts as an adversary-in-the-middle, proxying the authentication flow to Microsoft's servers and allowing the attacker to capture not only the password but also the resulting session cookie, effectively bypassing MFA.

• Exfiltration: Once collected, the compromised data—which includes credentials, cookies, O365 files, and machine specs—is exfiltrated via a scripted URL that sends it directly to a designated email address. However, their tactics evolved around July to also include exfiltration to Telegram.

Capabilities of the actor’s toolkit

RaccoonO365 built its operation on top of legitimate infrastructure in an attempt to avoid detection. Leveraging free accounts, they strategically deployed Cloudflare Workers to act as an intermediary layer, shielding their backend phishing servers from direct public exposure.

Inside RaccoonO365’s codebase

RaccoonO365 malicious code was designed to perform a variety of functions, including:

Anti-analysis & evasion: Before a request was passed to the actual phishing server, a Cloudflare Workers script inspected the request to determine if it originated from a security researcher, automated scanner, or sandbox. If any red flags were raised, the connection would be dropped or the client would receive an error message, effectively hiding the phishing kit.

Their evasion tactics included:

• User-agent filtering: Blocking a list of over 18 known automated analysis tools, crawlers, and headless browsers (e.g., NetcraftSurveyAgent, python-requests, Headless).

• Security vendor evasion: Actively blocking connections originating from the infrastructure of at least 17 major security services, including email gateways like safelinks.protection.outlook.com and urldefense.proofpoint.com.

• Network-level blocking: Denying access to requests from known datacenters, certain ISPs, Tor exit nodes, and bogon IPs (unallocated IP ranges).

• Header and referer checks: Inspecting HTTP headers for signs of analysis, such as the Origin header used by Microsoft's SmartScreen.

Dynamic traffic routing: For requests that pass the security checks, the actor’s malicious script served a second purpose–to act as a traffic controller. The script dynamically fetched and served the appropriate phishing content from the actor's hidden backend servers (e.g., sharedsyncdriveforwork[.]com and sponsoredmetasocialtasks[.]vip), and provided the following functionality:

• Reverse proxying: The script concealed the real IP address of the phishing servers, making them appear to originate from Cloudflare’s network. To a security analyst, the initial connection looks like it ends at Cloudflare, masking the attacker’s true infrastructure.

• Trigger-path logic: The actor embedded unique variables in the code as “trigger paths,” enabling them to seamlessly redirect traffic to different phishing campaigns or adjust backend logic by modifying a single variable—without needing to change core functionality in the code.

• Centralized management: This architecture enabled the actor to orchestrate large-scale phishing operations with minimal overhead. By modifying a small portion of code, they could rapidly propagate new evasion techniques, update routing logic, or shift entire campaigns, eliminating the need to redeploy or reconfigure dozens of discrete phishing kits.

Evolution and scaling

RaccoonO365 didn't simply stand up a single Worker and abandon it; they continuously maintained, updated and scaled their deployment to support ongoing phishing operations:

October 2024: Campaign initiation

• The earliest activity detected was the deployment of the initial JavaScript phishing campaigns

• The operation’s primary objective from day one was credential theft, with a clear focus on Microsoft 365 business accounts. These early kits formed the foundational code that would be continuously refined over time.

December 2024: Infrastructure deployment

• Two months after the first phishing kits appeared, the actor made a significant strategic upgrade by deploying their first Cloudflare Worker cluster.

• This marks the shift from a simpler phishing setup to the sophisticated two-layer architecture. The actor placed this new Worker "in front" of their existing phishing kits, immediately shielding them with a routing and evasion layer.

Early to Mid-2025: Scaling and refinement

• The actor began running multiple phishing campaigns in parallel, targeting different victim pools.

• They scaled their infrastructure by deploying second and third Cloudflare Worker clusters (March and July 2025), with each iteration incorporating improved anti-analysis features to hinder security investigation.

• During this period, the phishing kits were enhanced with features like CAPTCHA, improved evasion, and more deceptive redirects to legitimate Microsoft error pages.

Mid-2025 (July - August): Peak sophistication

• The final major evolution was the integration of real-time data exfiltration methods, such as Telegram bots, directly into the phishing scripts. This allowed the actor to instantly receive MFA QR codes and stolen credentials, marking the operation's peak capability.

RaccoonO365 platform update

In response to Cloudflare’s ongoing mitigation of their infrastructure, RaccoonO365 operators used their private Telegram channel to issue a series of “Platform Updates,” declaring a strategic shift to "break free from Cloudflare."

One of the earlier progress updates debuted a new 'Mini Panel' for subscribers, revealing that despite their goal to become independent, RaccoonO365's new infrastructure still planned to partially rely on Cloudflare Workers.

A progress update on the RaccoonO365 migration announces a new 'Mini Panel' for subscribers.

A later "Migration Update" from the RaccoonO365 operator explicitly stated their "mission to break free from Cloudflare." The post detailed technical plans to build a "fully independent and bulletproof" system in direct response to platform enforcement and disruption efforts.

A "Migration Update" from RaccoonO365 stating their "mission to break free from Cloudflare."

On September 5th, 2025, following Cloudflare's mitigation efforts, the RaccoonO365 team posted an announcement on Telegram to reframe the situation for their subscribers. They presented the disruption as a planned "rebirth" of their service, shutting down old "legacy links" and directing users to a new platform to retain access—a clear attempt to recover from disruptions and retain their customer base by rebuilding their operations on new infrastructure.

RaccoonO365 administrators announce shutdown of "legacy links" and require subscribers to migrate to a new plan.

Coordinating our RacoonO365 Disruption

Our strategy evolved from a reactive posture to a proactive and coordinated disruption.

1. Initial state: Cloudflare's Trust & Safety team addressed individual abuse complaints, mitigating RaccoonO365 domains as they were identified. Over time, it became clear that a broader, coordinated operation was necessary to further disrupt the actor’s overall effectiveness.

2. Collaboration: Microsoft launched the legal disruption, seizing hundreds of RaccoonO365 domains, while Cloudflare took action to halt all RaccoonO365 operations on our platform. Together with U.S. law enforcement, we helped alter the threat actor’s operational trajectory.

3. Infrastructure identification: Using signup patterns, we were able to comprehensively map the actor's entire infrastructure on our platform, including domains and dozens of Worker accounts.

4. Coordinated takedown: In early September 2025, Cloudflare executed a "rugpull" on RaccoonO365. In coordination with Microsoft, the initial phase of the Cloudflare takedown began on September 2nd, 2025, with additional actions occurring on September 3, 2025 and September 4th, 2025. We then banned all identified domains, placed interstitial “phish warning” pages in front of them, terminated the associated Workers scripts, and suspended the user accounts to prevent re-registration.

This coordinated action, alongside legal efforts by Microsoft and U.S. law enforcement, is intended to permanently dismantle the group’s ability to operate on our platform and beyond.

Event timeline

Recommendations

Cloudflare recommends the following steps to mitigate threats from PhaaS operations like RaccoonO365.

• Email Security Controls

  • Use advanced email security protection to stop scams before they reach inboxes. Cloudflare Email Security can detect PhaaS emails in real time using Email Detection Fingerprints (EDF) and tailored detections.

  • Enforce strict attachment and URL scanning (sandbox suspicious content before delivery).

  • Enable DMARC, SPF, and DKIM with enforcement to reduce email spoofing.

• Identity & Access Hardening

  • Enforce phishing-resistant MFA (FIDO2/WebAuthn, smartcards) instead of SMS/OTP-based MFA, which is easily bypassed by AiTM kits like RaccoonO365.

  • Use conditional access policies (geo restrictions, device compliance, impossible travel rules).

  • Rotate and audit privileged accounts regularly.

• User Awareness & Training

  • Provide ongoing phishing simulation and training to help employees recognize common lures (HR docs, invoices, M365 login prompts).

  • Emphasize reporting over blame: make it easy and rewarding for users to report suspicious emails.

• Web & Endpoint Protections

  • Use DNS filtering and secure web gateways to block access to newly registered and suspicious domains.

  • Leverage browser isolation for high-risk categories (e.g., financial, cloud productivity logins).

  • Deploy EDR/XDR to detect post-phishing activity (credential theft, unusual browser behavior).

• Incident Response Preparedness

  • Automate detection and revocation of stolen session cookies and OAuth tokens.

  • Have a playbook for rapid credential resets and account recovery.

  • Test response processes against simulated AiTM and phishing campaigns.

• Vendor & SaaS Security

  • Work with cloud and SaaS providers to enable continuous monitoring of tenant activity.

  • Enable alerts for suspicious consent grants, OAuth app installations, or unusual API access.

  • Require tenants and third parties to comply with phishing-resistant identity controls.

In addition, we provide all organizations (whether a Cloudflare customer or not) with free access to our email Retro Scan tool, allowing them to use our predictive AI models to scan existing inbox messages. Retro Scan will detect and highlight any threats found, enabling organizations to remediate them directly in their email accounts. With these insights, organizations can implement further controls, either using Cloudflare Email Security or their preferred solution, to prevent similar threats from reaching their inboxes in the future.

Indicators of compromise (IOCs)

The list of RaccoonO365 domains listed in the table below includes some of the more recent infrastructure in use by this criminal enterprise, but it only provides a sampling of the very lengthy list of indicators tracked by Cloudforce One. To learn more about getting access to the full list of indicators along with additional actionable context, refer to our Threat Events platform, available to Cloudforce One customers.

Domains

Email Detection Fingerprints (EDF)