Microsoft foils phishing ring as industry’s cybersecurity losses mount

Microsoft has announced the disruption of a subscription-based phishing tool known as RaccoonO365, which allows cybercriminals to easily steal Microsoft credentials by creating convincing mockups of official Microsoft communications. The strategy has been used against at least 20 US healthcare organizations, adding to the enormous toll that phishing and other cybercrimes have taken on the healthcare industry. 

The company’s Digital Crimes Unit (DCU) says it has seized 338 websites that are associated with the service and identified the alleged leader of the crime ring, an individual based in Nigeria.  

Currently available data shows that the tool has brought in at least $100,000 USD in cryptocurrency payments, representing a likely minimum of between 100 and 200 subscriptions sold. Each subscription allows a bad actor to send thousands of phishing emails a day. 

Since July of 2024, the RaccoonO365 toolkit has been used to steal at least 5,000 Microsoft credentials from 94 countries, the company says, although not all of these stolen credentials have led to identified harm. 

Tackling a direct risk to the healthcare industry

RaccoonO365 is particularly dangerous to healthcare organizations, Microsoft notes, which is why the tech giant is filing a lawsuit against the alleged ringleader in conjunction with Health-ISAC, a global cybersecurity and threat intelligence non-profit for the healthcare sector. 

“RaccoonO365 phishing emails are often a precursor to malware and ransomware, which have severe consequences for hospitals,” Microsoft explains. “In these attacks, patient services are delayed, critical care is postponed or canceled, lab results are compromised, and sensitive data is breached, causing major financial losses and directly impacting patients.” 

That’s not news to healthcare cybersecurity leaders, who have been facing down the challenges of increasingly sophisticated attacks for many years, and are feeling both the clinical and financial consequences more strongly than ever before.  

New data from cybersecurity firm Netwrix shows that just under half (48%) of healthcare organizations have experienced at least one cybersecurity event recently. Close to a third (31%) saw incidents involving compromised user or admin accounts, which can include phishing attacks. 

The financial impacts of these events are also ballooning over time. Even in just the first quarter of 2025, when the survey was conducted, Netwrix found that 4 times more organizations saw losses topping $200,000 compared to 2024, and the percentage of organizations experiencing losses over $500,000 increased from just 2% in 2024 to 12% in 2025. That’s double the 6% rate of all other industries combined. 

Playing whack-a-mole with cybersecurity threats in healthcare 

Taking down RaccoonO365 could be an important victory for healthcare organizations that have their hands very full with identifying and combatting threats from phishing and elsewhere.  

Microsoft points out, however, that the celebration could be short-lived as cybercriminals are often more than capable of relaunching their operations in a slightly different form, once again evading detection for long enough to commit more crimes. 

It’s strong motivation for healthcare cybersecurity leaders to remain vigilant, even in situations that seem trustworthy. 

In a somewhat ironic turn of events, for example, Microsoft itself is being directly blamed for a 2024 data breach that disrupted care and compromised critical information on approximately 5.6 million patients at Ascension, a large multi-state health system.  

A letter sent to the FTC from Senator Ron Wyden (D-OR) accuses Microsoft of neglecting to fix an insecure encryption technology from the 1980s, known as RC4, that led to cybercriminals being able to embed malware in a search result within Bing, Microsoft’s default search engine. 

According to Wyden, when an Ascension employee clicked on the link and inadvertently installed the malware, hackers were able to access to Ascension’s network and gain administrative privileges to user accounts on the organization’s Microsoft Active Directory server. 

It just goes to show that there’s no telling where threats may emerge, even within the companies and systems that are working to prevent them. 

The best defense will be a good offence, with robust threat detection systems and active participation in the ongoing industry conversation around regulatory requirements and cybersecurity best practices.  While no organization will ever be fully immune to cyber threats, taking a proactive stance and staying informed about the latest risks is the best way to reduce the likelihood of a majorly disruptive event.

Jennifer Bresnick is a journalist and freelance content creator with a decade of experience in the health IT industry.  Her work has focused on leveraging innovative technology tools to create value, improve health equity, and achieve the promises of the learning health system.  She can be reached at [email protected].