Legal victory with limitations: Microsoft’s investigation identified Joshua Ogundipe, based in Nigeria, as the operation’s leader and primary architect. The company filed a lawsuit against Ogundipe and four associates listed as John Does in late August, then obtained a court order from the US District Court for the Southern District of New York in early September to seize the 338 websites associated with RaccoonO365.”Based on Microsoft’s analysis, Ogundipe has a background in computer programming and is believed to have authored the majority of the code,” Microsoft stated.However, the legal victory might face practical limitations. While the court granted a restraining order against Ogundipe and his associates, the defendants remain free since the order carries little weight outside the US jurisdiction. Microsoft has submitted a criminal referral for Ogundipe to international law enforcement, but prosecution remains challenging due to jurisdictional gaps.
Technical sophistication and takedown: Microsoft’s analysis showed that RaccoonO365 employed advanced evasion techniques and recently began advertising an AI-powered service called “RaccoonO365 AI-MailCheck” designed to scale operations and increase attack effectiveness. The criminals used sophisticated methods to circumvent security measures and avoid detection by researchers and automated systems.The coordinated disruption began September 2, 2025, with Microsoft pursuing its legal strategy while Cloudflare executed what it called a strategic “rugpull.” Cloudflare’s analysis showed the criminals had strategically deployed Cloudflare Workers as an intermediary layer to shield their backend phishing servers.”The actor’s ultimate goal was to provide subscribers with stolen credentials, cookies, and data from victim accounts (including OneDrive, SharePoint, and email), which could then enable financial fraud, extortion, or serve as initial access for larger attacks,” Cloudflare said in its analysis.Cloudflare systematically dismantled RaccoonO365’s infrastructure over three days, terminating dozens of Worker accounts and placing “phish warning” pages in front of all identified domains. Facing infrastructure collapse, the criminals posted desperately on Telegram on September 5, attempting to reframe the disruption as a planned “rebirth.”The takedown was declared complete on September 8, Cloudflare added in the report.
Industrialized cybercrime challenge: The RaccoonO365 case exemplifies what Microsoft calls “a troubling new phase of cybercrime where scams and threats are likely to multiply exponentially.” Microsoft noted that the rapid development, marketing, and accessibility of services like RaccoonO365 indicate that cybercrime is becoming industrialized, with subscription models making advanced attacks accessible regardless of technical skill.The successful takedown required Microsoft to integrate new tools into its investigations.”For instance, we are integrating blockchain analysis tools like Chainalysis Reactor into our investigations,” Steven Masada, assistant general counsel at Microsoft’s Digital Crimes Unit, said in the blog. “These help us trace criminals’ cryptocurrency transactions, linking online activity to real identities for stronger evidence.”However, Microsoft acknowledged that significant challenges remain.”Today’s patchwork of international laws remains a major obstacle, and cybercriminals exploit these gaps,” the company stated. “Governments must work together to align their cybercrime laws, speed up cross-border prosecutions, and close the loopholes that let criminals operate with impunity,” Microsoft warned, saying that filing the lawsuit was just the beginning, as the company expects the actors to try rebuilding their operations.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4058634/microsoft-and-cloudflare-execute-rugpull-on-massive-phishing-empire.html
