Microsoft Seizes 340 Phishing Websites Linked to Raccoon0365

Microsoft has announced the successful takedown of nearly 340 phishing websites tied to a cybercrime service known as Raccoon0365, which enabled large-scale credential theft campaigns targeting Microsoft users.

In a statement signed by Steven Masada, Assistant General Counsel for Microsoft’s Digital Crimes Unit (DCU), the company revealed that it obtained an order from the U.S. District Court in Manhattan earlier this month to seize the malicious domains.

How Raccoon0365 Operated

Raccoon0365 functioned as a subscription-based phishing service, giving cybercriminals the tools to launch mass phishing campaigns. Through a private Telegram channel with more than 850 subscribers, users gained access to fake Microsoft login pages and other impersonation tools that tricked victims into sharing their credentials.

Since its launch in July 2024, the service has generated over $100,000 in cryptocurrency payments for its operators. According to Microsoft, the campaigns often involved thousands of phishing emails at a time and affected a wide range of industries.

Impact on Users and Organisations

Investigations revealed that between February 12 and February 28, 2025, Raccoon0365 targeted more than 2,300 organisations in the U.S. with tax-themed phishing attacks. Healthcare was particularly affected, with at least five organisations successfully breached and a total of 25 health sector entities targeted.

Microsoft’s Ongoing Efforts

Masada emphasized that Raccoon0365 demonstrates how “cybercriminals don’t need to be sophisticated to cause widespread harm.” The tools made cybercrime accessible to virtually anyone, putting millions of users at risk.

Microsoft collaborated with partners such as Cloudflare and Health-ISAC to swiftly shut down malicious infrastructure. Beyond seizing domains, the company said it will continue pursuing legal steps to dismantle any attempts to rebuild the network.

We cut off the actor’s revenue streams, sow distrust among their would-be customers, and send a clear signal that Microsoft and its partners will remain persistent,” Microsoft stated.

What This Means for Users

The takedown is part of Microsoft’s wider strategy to protect customers from credential theft and online fraud. While the seizures significantly disrupt Raccoon0365 operations, the company warns that cybercriminals are likely to attempt to rebuild. Users are advised to remain cautious, enable multi-factor authentication (MFA), and stay vigilant against suspicious emails.