Microsoft Inc. has announced the seizure of almost 340 websites tied to a fast-expanding Nigerian-based phishing service known as Raccoon0365, which has been linked to the theft of at least 5,000 Microsoft user credentials.
In a statement obtained by newsmen and signed by Steven Masada, Assistant General Counsel for Microsoft’s Digital Crimes Unit, the company revealed that it secured authorization earlier this month from the U.S. District Court in Manhattan to take control of domains connected to the malicious service.
Raccoon0365, which launched in July 2024, operated as a subscription-based platform and provided tools enabling users to execute large-scale phishing campaigns, with some involving thousands of emails at once. According to Microsoft, the operators managed the service through a private Telegram channel boasting more than 850 subscribers.
Masada explained that the phishing service allowed subscribers to pose as legitimate brands, tricking victims into entering their Microsoft login details on fake login pages. The operators behind Raccoon0365 have generated over $100,000 in cryptocurrency payments since its inception, according to the company’s findings.
Microsoft disclosed that the domain seizures occurred gradually over several days earlier this month. “Cybercriminals don’t need to be sophisticated to cause widespread harm,” Masada said. “Simple tools like Raccoon0365 make cybercrime accessible to virtually anyone, putting millions of users at risk.”
The phishing platform’s activities extended across numerous industries. Court documents revealed that “a significant portion” of Raccoon0365’s operations focused on organizations in New York City. Microsoft previously noted that between February 12 and February 28, 2025, the group launched a tax-themed phishing campaign targeting over 2,300 organizations, primarily within the United States.
The healthcare sector has also been a key target. Errol Weiss, Chief Security Officer of the Health Information Sharing & Analysis Center (Health-ISAC), which joined Microsoft as a co-plaintiff, confirmed that Raccoon0365 was linked to credential theft at five unnamed healthcare organizations and had attempted attacks against 25 in total.
Microsoft emphasized its ongoing collaboration with other cybersecurity companies, including Cloudflare, to dismantle malicious networks. “In legal cases, we also collaborate with security companies like Cloudflare to swiftly seize and take down malicious infrastructure. In doing so, we cut off the actor’s revenue streams, sow distrust among their would-be customers, and send a clear signal that Microsoft and its partners will remain persistent in going after those who target our systems. Importantly, filing a lawsuit is just the start. We always expect actors to try to rebuild their operations. That means the DCU will continue to take additional legal steps in the case to dismantle any new or reemerging infrastructure,” the company stated.
What you should know
Microsoft has disrupted Raccoon0365, a Nigerian-based phishing service that stole thousands of user credentials and generated over $100,000 in illicit payments.
Operating through Telegram, the platform made large-scale phishing campaigns simple and accessible. While nearly 340 domains tied to the group have been taken down, Microsoft says it will continue pursuing further legal and technical actions to prevent the group’s reemergence.
