Microsoft reported seizing the websites of a well-known phishing-as-a-service (PhaaS) operation targeting Microsoft 365 credentials. The operation used phishing kits to steal about 5,000 usernames and passwords, which are used in at least 20 U.S. healthcare companies’ Microsoft 365 accounts.
According to the Microsoft Digital Crimes Unit (DCU), cybercriminals use RaccoonO365 to steal Microsoft 365 usernames and passwords. The PhaaS operation offers phishing kits, which create phishing emails copying genuine Microsoft communications. The victims are sent to websites that mislead them into sharing their credentials on Microsoft 365. The phishing kits minimize the hindrance to executing phishing campaigns, allowing even low-skilled individuals to use them to steal credentials.
RaccoonO365 has been supplying cybercriminals with phishing kits since July 2024. Customers can use the infrastructure to mail around 9,000 phishing emails every day. The cost of a 30-day subscription is below $12 a day, and a 60-day subscription is less than $10 a day. The phishing kits use advanced techniques to acquire credentials and get around multi-factor authentication. Lately, RaccoonO365 has included a new service that uses AI to scale campaigns and enhance the sophistication and performance of phishing campaigns.
Cybercriminals can use the stolen credentials to access accounts and sensitive information; nevertheless, they are often used to obtain a foothold to start more extensive attacks on victims, frequently resulting in ransomware and malware downloads. The attacks have led to substantial financial losses for healthcare companies and have interrupted critical patient treatment, putting patients in danger. Besides the attacks on healthcare companies, RaccoonO365’s phishing kits were employed for a comprehensive tax-themed phishing campaign that focused on over 2,300 U.S. companies around the world.
DCU found out that Joshua Ogundipe, the operation leader, lives in Benin City in Nigeria. With his background in computer programming, it is assumed that he wrote the majority of the code used in the phishing kits. Ogundipe was found exploiting the security lapse, which enabled DCU to identify Ogundipe’s secret cryptocurrency wallet. Ogundipe, together with his associates, advertised on Telegram and sold the RaccoonO365 phishing kits, getting over $100,000 in subscription payments. About 100 to 200 subscriptions were sold, though that number is probably underestimated. Based on that number, from 900,000 to 1.8 million phishing emails can be sent every day. DCU’s intelligence has been disclosed to global law enforcement.
Ogundipe and four John Doe conspirators are facing a lawsuit filed by Microsoft and Health-ISAC in the U.S. District Court for the Southern District of New York. The lawsuit seeks compensation for damages and seizure of the websites the operation used. The accusations against the defendants consist of violations of the Electronic Communications Privacy Act, the Racketeer Influenced and Corrupt Organizations (RICO) Act, and the Computer Fraud and Abuse Act.
The DCU investigation discovered the 338 sites managed by the operation, which were taken following a court order. Cloudflare helped with taking down the sites. The seizure of the domain considerably disrupted RaccoonO365’s operation. Microsoft is also taking steps to counter RaccoonO365’s operation. It is using blockchain analysis tools such as Chainalysis Reactor for its investigations to track criminals’ cryptocurrency transactions, connecting the online activity to actual individuals to have stronger evidence.
In view of the above news, affected healthcare organizations should consider providing HIPAA training for IT professionals to ensure protection against such cyberattacks.
