Microsoft Seizes Phishing Sites Linked to Nigerian Group

Microsoft seizes phishing sites connected to Raccoon0365, a Nigerian group running a subscription-based cybercrime service. Nearly 340 domains were taken down. These websites hosted fake Microsoft login pages designed to steal credentials. The takedown is one of the largest anti-phishing operations Microsoft has led this year.

How Raccoon0365 Operated

The group launched its service in July 2024. Since then, it earned more than $100,000 in cryptocurrency. Attackers distributed phishing kits through a private Telegram channel with over 850 members.

Raccoon0365 offered subscribers ready-made tools to create fake login portals. Victims entered their credentials, which were then stolen and sold. More than 5,000 Microsoft accounts were compromised during the campaign.

Phishing Campaigns and Targets

One campaign in February 2025 sent tax-themed phishing emails. More than 2,300 U.S. organizations were targeted. Industries ranging from healthcare to finance saw attempted breaches. Some hospitals reported attempted logins with stolen credentials.

Fake pages looked convincing, using Microsoft branding and login formats. Victims often could not tell the difference until after credentials were stolen.

The Takedown Effort

Microsoft worked with Cloudflare and the U.S. Secret Service. Together, they dismantled 340 domains linked to Raccoon0365. The Health Information Sharing and Analysis Center (Health-ISAC) also supported the investigation.

The takedown stopped ongoing phishing attacks and disrupted the group’s business model. However, law enforcement warns the criminals may attempt to rebuild.

Ongoing Threats

Phishing remains one of the most common attack methods. Services like Raccoon0365 lower the barrier for entry, allowing even low-skilled criminals to launch campaigns. Fake login portals can spread quickly across industries, creating widespread risk.

Conclusion

The Microsoft seizes phishing sites operation highlights the scale of organized cybercrime. By removing 340 domains tied to Raccoon0365, Microsoft disrupted a major phishing service. Still, the takedown shows only part of the challenge. Criminal groups adapt fast, and phishing kits remain easy to access. Users and organizations must stay alert, adopt multi-factor authentication, and continue reporting suspicious activity.