Microsoft has announced the seizure of nearly 340 websites used to run large-scale phishing operations, disrupting a cybercrime service known as Raccoon0365. The crackdown followed an order obtained earlier this month from the U.S. District Court in Manhattan, according to a statement released by the company’s Digital Crimes Unit (DCU).
The Raccoon0365 service, operating since July 2024, enabled paying subscribers to impersonate trusted brands—particularly Microsoft—by creating fake login pages designed to harvest user credentials. Investigators say the platform was marketed through a private Telegram channel with over 850 members, many of whom launched mass phishing campaigns involving thousands of fraudulent emails.
Microsoft revealed that the scheme has already generated at least $100,000 in cryptocurrency payments for its operators. Assistant General Counsel for the DCU, Steven Masada, said the company coordinated the seizures over several days earlier this month, targeting domains directly linked to the fraudulent network.
“Cybercriminals don’t need to be sophisticated to cause widespread harm,” Masada noted. “Simple tools like Raccoon0365 make phishing attacks accessible to virtually anyone, putting millions of users at risk.” Microsoft said the sites were used to steal more than 5,000 user credentials across multiple industries, with a significant number of attacks targeting organizations in New York City.
Court filings also detailed a wave of tax-themed phishing emails that, between February 12 and February 28 this year, sought to compromise more than 2,300 organizations—mostly in the United States. Healthcare institutions were among the hardest hit, with at least five hospitals and clinics confirmed to have suffered successful credential theft.
The Health Information Sharing & Analysis Center (Health-ISAC), a co-plaintiff in the case, confirmed that at least 25 healthcare organizations were targeted. Errol Weiss, Health-ISAC’s Chief Security Officer, said the phishing campaigns demonstrated how accessible and damaging subscription-based cybercrime services like Raccoon0365 have become.
Microsoft stressed that this legal action is only the beginning of its effort to dismantle the criminal operation. The company said it is working with cybersecurity partners, including Cloudflare, to seize malicious infrastructure, cut off revenue sources, and undermine confidence among Raccoon0365’s users. However, Masada warned that the operators are likely to attempt a comeback, meaning continued monitoring and further lawsuits will follow.
By taking down hundreds of domains tied to Raccoon0365, Microsoft and its partners hope to deal a significant blow to a growing cybercrime model that sells phishing “as a service.” The company said the fight against such threats will remain ongoing as long as criminals attempt to rebuild.
