Late this year, international investigators dismantled a key part of a sprawling phishing-as-a-service operation that had quietly harvested thousands of corporate email credentials across the world. At the centre of the case was the alleged developer of RaccoonO365, a toolkit designed to mimic Microsoft 365 login pages with uncanny accuracy, luring victims into surrendering usernames and passwords.
Authorities said the suspect acted as the technical backbone of the scheme, building and maintaining the infrastructure that allowed other criminals to launch phishing campaigns at scale. The arrests, carried out after coordinated raids, followed months of digital forensics, financial tracking and intelligence sharing with private-sector partners.
The case highlights how modern cybercrime has shifted from isolated hackers to service-based ecosystems, where tools are developed, marketed and sold to anyone willing to pay in cryptocurrency.
How RaccoonO365 Worked
RaccoonO365 functioned less like a single scam and more like a platform. According to investigators, phishing links were sold through encrypted messaging channels, while fake login portals were hosted behind content-delivery and security services to evade detection. Stolen or fraudulently obtained email credentials were used to spin up convincing replicas of Microsoft authentication pages.
Microsoft has been tracking the group behind the toolkit under the internal designation Storm-2246. Company researchers estimate that since mid-2024, the infrastructure was used to steal at least 5,000 Microsoft 365 credentials from victims in 94 countries. Many of those credentials were then weaponised for business email compromise, data theft and downstream financial fraud.
In September 2025, Microsoft, working with Cloudflare, seized more than 300 domains linked to the operation, disrupting a core distribution channel for the phishing kit. But investigators say the arrests mark the first time they have moved decisively against the alleged developer himself.
Following the Digital and Legal Trail
The investigation was conducted in close coordination with international law-enforcement partners, including the Federal Bureau of Investigation, and drew on telemetry provided by Microsoft’s threat-intelligence teams. Search operations resulted in the seizure of laptops, mobile devices and storage media believed to contain source code, customer communications and cryptocurrency transaction records.
Parallel to the criminal probe, Microsoft and the Health Information Sharing and Analysis Center (Health-ISAC) filed a civil lawsuit in September accusing a group of defendants of selling and deploying the phishing kit to facilitate large-scale credential theft. The suit alleges that the stolen data fed a wider criminal pipeline, enabling ransomware attacks, intellectual-property theft and financial fraud across multiple sectors.
While some individuals named in the civil case remain unaccounted for, Microsoft said the investigation is ongoing and that further legal action is possible as new evidence emerges.
A Broader Crackdown on Phishing-as-a-Service
The RaccoonO365 case is unfolding amid a wider effort by technology companies and authorities to choke off the infrastructure that underpins phishing-as-a-service. Days earlier, Google filed suit against operators of another phishing platform, Darcula, accused of orchestrating a massive wave of SMS-based scams impersonating government agencies and financial institutions.
Security researchers say these services lower the barrier to entry for cybercrime, allowing even unsophisticated actors to launch complex attacks. “This is industrialised fraud,” said one investigator familiar with the case. “You no longer need deep technical skill—just access to the right toolkit.”
The dismantling of RaccoonO365’s core development operation has disrupted one such toolkit. But officials caution that as long as demand for stolen credentials remains high, similar platforms are likely to emerge—reshaping the contest between defenders and an increasingly organised underground economy.
