Microsoft reveals how phishing has shifted into an industrial-scale, subscription-based criminal enterprise leveraging automation and AI, with the recent takedown of RaccoonO365 exemplifying the growing threat to cloud security and identity management.
Ro’ya Hatamleh of Microsoft says phishing has shifted from opportunistic scams into a commercial, industrialised criminal market that now operates much like legitimate software-as-a-service businesses , and that the dis...
Continue Reading This Article
Enjoy this article as well as all of our content, including reports, news, tips and more.
By registering or signing into your SRM Today account, you agree to SRM Today's Terms of Use and consent to the processing of your personal information as described in our Privacy Policy.
According to Microsoft’s account, the Digital Crimes Unit (DCU) used a court order from the U.S. District Court for the Southern District of New York to seize 338 websites tied to RaccoonO365, a subscription-based phishing-as-a-service (PhaaS) operation that sold ready-made Microsoft 365 login clones, email kits and automation to low-skilled attackers. Microsoft says the kits were used to steal at least 5,000 Microsoft credentials across 94 countries since July 2024 and that the service was openly marketed on Telegram and underground forums, generating an estimated six-figure sum in cryptocurrency from subscriptions. Cloudflare worked with Microsoft on the takedown, and industry reports say the infrastructure relied on Cloudflare Workers and anti-analysis tricks to evade detection.
Hatamleh, Security Cloud Commercial Solutions, EMEA HQ – Middle East and Africa at Microsoft, told Sandhya D’Mello, Technology Editor at CPI Media Group, that three features make services such as RaccoonO365 especially dangerous: scalability and automation, a low barrier to entry for criminals, and rapid continuous evolution that now includes AI-driven tools. “While many organisations were able to mitigate the impact through multi-factor authentication and other safeguards, the sheer scale of credential theft highlights how far automation has transformed phishing,” she said in the interview.
The RaccoonO365 case underlines how PhaaS commercialises crime. Microsoft reported the service operated subscription tiers, a private Telegram channel with hundreds of members, and offered features such as QR-code and attachment-based lures, CAPTCHA pages and session-cookie interception that enabled adversary-in-the-middle collection of passwords and MFA tokens. Reporting from several outlets added that operators attempted a quick regroup after the disruption, telling customers to migrate legacy links to new plans.
Regional risk is acute where cloud adoption is rapid. According to PwC research cited by Microsoft, 68% of organisations in the Middle East intended to migrate the majority of operations to the cloud within two years, and the region reported greater confidence in addressing cloud threats in the 2025 PwC Digital Trust Insights report than the global average. Still, Hatamleh warned that cloud-first strategies expand the potential attack surface. “The real threat lies not in the cloud itself, but in attackers exploiting weak credentials through phishing and social engineering,” she said. Healthcare, finance and government remain particular targets: separate industry notices noted that at least 20 U.S. healthcare organisations were hit by campaigns using the kits, and that stolen access has been monetised through fraud, extortion and resale to ransomware groups.
Microsoft frames the defensive answer as threefold: intelligence-led disruption, AI-augmented detection across cloud-scale signals, and strengthened identity controls. The company says its Threat Intelligence processes some 84 trillion signals per day and that Defender, Sentinel and Security Copilot use that telemetry to detect and block threats at scale. Hatamleh argued that “you can’t fight AI-powered attacks without AI-powered defense,” but she stressed technology must be combined with identity hardening and human-centred measures. She recommended enforcing Multi-Factor Authentication for all users, adopting phishing-resistant MFA where possible, applying conditional access and risk-based sign-in detection, and embracing Zero Trust principles that “never trust, always verify.”
Microsoft also emphasised legal and technical disruption as a strategic tool. The DCU’s seizure of domains and coordination with Cloudflare , and the use of blockchain analytics to trace cryptocurrency flows , were presented as an example of “continuous technical and legal disruption” designed to raise the operational cost for criminals and reduce their ability to scale. The company said it has referred findings to law enforcement and continues to invest in next-generation investigative capabilities.
Hatamleh cautioned against common misconceptions: phishing is not merely an entry-level nuisance, nor are only naive users at risk. “Even seasoned professionals, including security experts, can be deceived by today’s AI-powered spear phishing,” she said. Microsoft and partners therefore continue to promote awareness campaigns, simulation tools and public toolkits aimed at strengthening the human layer alongside technical controls.
The RaccoonO365 action illustrates an evolving ecosystem in which criminal entrepreneurs package automation, AI and subscription billing to turn credential theft into a high-volume business. Industry and public-health notices following the disruption highlighted the tangible consequences where successful intrusions allow access to OneDrive, SharePoint and corporate mailboxes and lead to downstream financial and operational harm.
As organisations accelerate cloud transformation, Hatamleh’s message is that identity has become the new perimeter and that resilience will depend on combining global threat intelligence, legal disruption of criminal infrastructure and rigorous identity-first security practices grounded in Zero Trust. According to Microsoft, those combined measures are the path to blunting the commercialised phishing model now proliferating across regions from the Middle East to North America.
Source: Noah Wire Services
Subscribe to Industry Updates
