Microsoft’s Digital Crimes Unit (DCU) has disrupted a major phishing operation known as RaccoonO365, seizing 338 websites used to impersonate Microsoft login pages and steal user credentials.

The service, run by a group led by a Nigerian individual, offered subscription-based phishing kits that enabled even low-skilled attackers to launch large-scale credential harvesting campaigns.

The DCU used a U.S. court order from the Southern District of New York to seize the domains. The mastermind identified is Joshua Ogundipe, who allegedly developed the code, sold phishing subscriptions, and provided customer support to other cybercriminals.

Microsoft said its investigation identified Ogundipe and associates as playing specialised roles in the enterprise: developing the code, selling subscriptions, and providing customer support to other cybercriminals.

Read also: Microsoft 365 is more than just email; It’s changing how Nigerians work

“To mask their criminal enterprise and evade detection, they registered Internet domains using fictitious names and physical addresses that are purportedly located in multiple cities and countries. Based on Microsoft’s analysis, Ogundipe has a background in computer programming and is believed to have authored the majority of the code,” Microsoft stated.

Phishing kits were distributed via Telegram and enabled impersonation of Microsoft emails. Subscriptions let attackers send thousands of phishing emails daily, scaling up to hundreds of millions per year.

Microsoft attributes part of its success to an operational security error by the attackers, which led them to reveal a cryptocurrency wallet tied to their infrastructure. This helped trace and map out the network.

The service had been evolving rapidly, even creating more advanced tools such as ‘RaccoonO365 AI-MailCheck’ to increase scale and sophistication.