Cloudflare Participates in Global Operation to Disrupt RaccoonO365

    Wednesday, September 17, 2025 In: Threat Research Print

    Date: 09/17/2025

    Severity: High

    Summary

    In early September 2025, Cloudflare partnered with Microsoft to dismantle the RaccoonO365 phishing-as-a-service (PhaaS) operation. The campaign targeted Microsoft 365 users using sophisticated phishing kits with CAPTCHA and anti-bot measures. Cloudflare took down hundreds of malicious domains and Worker accounts on its network, supporting Microsoft's broader legal action filed in August to disrupt the operation.

    Indicators of Compromise (IOC) List 

    URL/Domain

    1drvmscloud-acrbatadbfls.com

    actwillis.com

    adriot.org

    andersnelab.com

    app-explorer-dashboard.com

    appletheseed.workers.dev

    application-document.com

    authenticate-hydromedicional.com

    basiceschromeedomezonners.com

    bgailin.net

    boards-descriptions.com

    boardsmartrecruits.com

    bravoservicesnc.com

    burohapopld.com

    cloufdtf.com

    cyberdnsraven.com

    cyberspiderregistry.com

    doc-edelivery.com

    docdrive-remittance.com

    docdrivecloudstorage.com

    docsanduploadpreview.com

    dreambig1.workers.dev

    dropviewfolder.com

    easylifestyle004.workers.dev

    ecloudrunfiles.com

    eidnfilecloud.com

    eviewxxoofriend.workers.dev

    executive-recruitment-dashboard.com

    exerecruitment-dashboard.online

    fileso365clloudoccs.com

    fileso365clloudoss.com

    filesoo365cloudocxs.com

    filoonlinemaulling.com

    gboo4gboo.workers.dev

    get-pdf-bcd08-db403b574-0eba0513b-053e6-app.online

    gloglo12.workers.dev

    godwhenabego.workers.dev

    gregorywizfriend.workers.dev

    hen0148.workers.dev

    hspincsd.com

    insplredthinking.group

    kevinmor.workers.dev

    kevinmorredirects.workers.dev

    keymedla.com

    kindlyrviewdoc.nl

    lawsent.com

    livinsie.com

    lxkvt.com

    machavellii.workers.dev

    man-ex.com

    microcloudfiles.com

    microcloudfilesstorage.com

    microcloudfilestorage.com

    microsoft-clouds-onlines.com

    microsoftadmiin.com

    myskylinkdouble.workers.dev

    nextproject2025.com

    nuw0rk.workers.dev

    o365clouddocsstorage.com

    o365cloudfilesdocs.com

    o365cloudfilesstoragedcs.com

    o365efilecloud.com

    o365microsoftsecurecloud.com

    o365securecloudfilesdrive.com

    obs3rv3r-1x1.workers.dev

    officefilecloudoc.com

    officefiledrivecloud.com

    officenotedrivecloud.com

    onlineboardminutes.com

    onlinememoffsecured.com

    onlyoneghost.workers.dev

    orionhatch.autos

    polepole21.workers.dev

    presido5g.workers.dev

    prestigemetall.com

    priorityclouddrive365files.com

    prioritysdenvers.com

    quantexagroup.autos

    reidnfilescloud.com

    secure-acrbtadbeonlinedocs.com

    securedocumentsmicrocloudsdrivestorage.com

    share-onboarding.icu

    shared-document-onboarding.icu

    sharedcloudrive.com

    smart-pdf-53e6f9-0cd69-df8a0.online

    smartboardproposal.com

    soskuns.org

    speechmorphin.com

    ssecurefilessharedfolders-rudebenediktkernduca.com

    thisusernameisnotactive.workers.dev

    triistrux.com

    triumphsic.org

    tylxv.com

    voicemailfilerecordingswav.com

    w0rstdayofmylife.workers.dev

    winredirect.com

    worker1800.workers.dev

    yfful.com

    you-never-walk-alone009friend.workers.dev

    zeezee196112.workers.dev

    Cryptocurrency Addresses

    bc1qjtlzug5wu7ag8yskn5h2xjd27uetq5cc4sahh5

    TBB5T28b9n2SK8shXb9oq867EcsNE5dZie

    0xf5C2E3749F332175D94C7de7bf7AA8d679E460B7

    Email Detection Fingerprints (EDF)

    4817b89af1adcdf299012ef0dd73ad739c46:c9c1316fe0e7d62d6f959980e4c0

    09dc90983691333d2903e853e74af1f727c5:5f41ed9eb791e93b2a9fc0f9fa9a

    75f6b88324dd42cb7c0e8ac01021e7473c29:4cd9960e19306c4118280d3bf9b7

    352c56d80f8d33dbd5badd76e1db232d4fb3:2f94244a05ad1a62e4b581feb164

    1edde07d2fd6a4eb1d75dec3f2b459096dce:59bf65ac5f3453a2e8078073c746

    7b2241b4e939154324fb28ee2311f0928427:dc3de898a2c9761aeb363daacf8c

    762ff304400deda7c337be0ff47c4ee9bfa9:59bf65ac5f3453a2e8078073c746

    188840ef9097c04efbd696d5483a96b74de5:352d17f408ebb3e4309361d5df39

    2e3f46bfd3f3c19fda86f314878cb869313e:78797c94e463ba48f2760e132420

    d2654ba2b1d0c57a080a839d1dbbdd985626:36b12f90839be5817ab111ad3356

    fe0881daca258fc8b6022794b0ee19dba070:7fd02d083763eede9026370e44e8

    8c7c9e0db1c302e0992cc17289ddd7614af3:6442e0401022f46d4a588c75f48c

    cb4f2ff64918ada35248f23db2f00a65012c:9dcd7e01f20447e6f867b53c3ac2

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 : 

    domainname like "winredirect.com" or siteurl like "winredirect.com" or url like "winredirect.com" or domainname like "get-pdf-bcd08-db403b574-0eba0513b-053e6-app.online" or siteurl like "get-pdf-bcd08-db403b574-0eba0513b-053e6-app.online" or url like "get-pdf-bcd08-db403b574-0eba0513b-053e6-app.online" or domainname like "cloufdtf.com" or siteurl like "cloufdtf.com" or url like "cloufdtf.com" or domainname like "bgailin.net" or siteurl like "bgailin.net" or url like "bgailin.net" or domainname like "executive-recruitment-dashboard.com" or siteurl like "executive-recruitment-dashboard.com" or url like "executive-recruitment-dashboard.com" or domainname like "quantexagroup.autos" or siteurl like "quantexagroup.autos" or url like "quantexagroup.autos" or domainname like "o365efilecloud.com" or siteurl like "o365efilecloud.com" or url like "o365efilecloud.com" or domainname like "basiceschromeedomezonners.com" or siteurl like "basiceschromeedomezonners.com" or url like "basiceschromeedomezonners.com" or domainname like "o365cloudfilesstoragedcs.com" or siteurl like "o365cloudfilesstoragedcs.com" or url like "o365cloudfilesstoragedcs.com" or domainname like "boards-descriptions.com" or siteurl like "boards-descriptions.com" or url like "boards-descriptions.com" or domainname like "ssecurefilessharedfolders-rudebenediktkernduca.com" or siteurl like "ssecurefilessharedfolders-rudebenediktkernduca.com" or url like "ssecurefilessharedfolders-rudebenediktkernduca.com" or domainname like "docsanduploadpreview.com" or siteurl like "docsanduploadpreview.com" or url like "docsanduploadpreview.com" or domainname like "microcloudfilesstorage.com" or siteurl like "microcloudfilesstorage.com" or url like "microcloudfilesstorage.com" or domainname like "1drvmscloud-acrbatadbfls.com" or siteurl like "1drvmscloud-acrbatadbfls.com" or url like "1drvmscloud-acrbatadbfls.com" or domainname like "triumphsic.org" or siteurl like "triumphsic.org" or url like "triumphsic.org" or domainname like "voicemailfilerecordingswav.com" or siteurl like "voicemailfilerecordingswav.com" or url like "voicemailfilerecordingswav.com" or domainname like "exerecruitment-dashboard.online" or siteurl like "exerecruitment-dashboard.online" or url like "exerecruitment-dashboard.online" or domainname like "andersnelab.com" or siteurl like "andersnelab.com" or url like "andersnelab.com" or domainname like "secure-acrbtadbeonlinedocs.com" or siteurl like "secure-acrbtadbeonlinedocs.com" or url like "secure-acrbtadbeonlinedocs.com" or domainname like "actwillis.com" or siteurl like "actwillis.com" or url like "actwillis.com" or domainname like "adriot.org" or siteurl like "adriot.org" or url like "adriot.org" or domainname like "app-explorer-dashboard.com" or siteurl like "app-explorer-dashboard.com" or url like "app-explorer-dashboard.com" or domainname like "appletheseed.workers.dev" or siteurl like "appletheseed.workers.dev" or url like "appletheseed.workers.dev" or domainname like "application-document.com" or siteurl like "application-document.com" or url like "application-document.com" or domainname like "authenticate-hydromedicional.com" or siteurl like "authenticate-hydromedicional.com" or url like "authenticate-hydromedicional.com" or domainname like "boardsmartrecruits.com" or siteurl like "boardsmartrecruits.com" or url like "boardsmartrecruits.com" or domainname like "bravoservicesnc.com" or siteurl like "bravoservicesnc.com" or url like "bravoservicesnc.com" or domainname like "burohapopld.com" or siteurl like "burohapopld.com" or url like "burohapopld.com" or domainname like "cyberdnsraven.com" or siteurl like "cyberdnsraven.com" or url like "cyberdnsraven.com" or domainname like "cyberspiderregistry.com" or siteurl like "cyberspiderregistry.com" or url like "cyberspiderregistry.com" or domainname like "doc-edelivery.com" or siteurl like "doc-edelivery.com" or url like "doc-edelivery.com" or domainname like "docdrive-remittance.com" or siteurl like "docdrive-remittance.com" or url like "docdrive-remittance.com" or domainname like "docdrivecloudstorage.com" or siteurl like "docdrivecloudstorage.com" or url like "docdrivecloudstorage.com" or domainname like "dreambig1.workers.dev" or siteurl like "dreambig1.workers.dev" or url like "dreambig1.workers.dev" or domainname like "dropviewfolder.com" or siteurl like "dropviewfolder.com" or url like "dropviewfolder.com" or domainname like "easylifestyle004.workers.dev" or siteurl like "easylifestyle004.workers.dev" or url like "easylifestyle004.workers.dev" or domainname like "ecloudrunfiles.com" or siteurl like "ecloudrunfiles.com" or url like "ecloudrunfiles.com" or domainname like "eidnfilecloud.com" or siteurl like "eidnfilecloud.com" or url like "eidnfilecloud.com" or domainname like "eviewxxoofriend.workers.dev" or siteurl like "eviewxxoofriend.workers.dev" or url like "eviewxxoofriend.workers.dev"

    Detection Query 2 :

    domainname like "fileso365clloudoccs.com" or siteurl like "fileso365clloudoccs.com" or url like "fileso365clloudoccs.com" or domainname like "fileso365clloudoss.com" or siteurl like "fileso365clloudoss.com" or url like "fileso365clloudoss.com" or domainname like "filesoo365cloudocxs.com" or siteurl like "filesoo365cloudocxs.com" or url like "filesoo365cloudocxs.com" or domainname like "filoonlinemaulling.com" or siteurl like "filoonlinemaulling.com" or url like "filoonlinemaulling.com" or domainname like "gboo4gboo.workers.dev" or siteurl like "gboo4gboo.workers.dev" or url like "gboo4gboo.workers.dev" or domainname like "gloglo12.workers.dev" or siteurl like "gloglo12.workers.dev" or url like "gloglo12.workers.dev" or domainname like "godwhenabego.workers.dev" or siteurl like "godwhenabego.workers.dev" or url like "godwhenabego.workers.dev" or domainname like "gregorywizfriend.workers.dev" or siteurl like "gregorywizfriend.workers.dev" or url like "gregorywizfriend.workers.dev" or domainname like "hen0148.workers.dev" or siteurl like "hen0148.workers.dev" or url like "hen0148.workers.dev" or domainname like "hspincsd.com" or siteurl like "hspincsd.com" or url like "hspincsd.com" or domainname like "insplredthinking.group" or siteurl like "insplredthinking.group" or url like "insplredthinking.group" or domainname like "kevinmor.workers.dev" or siteurl like "kevinmor.workers.dev" or url like "kevinmor.workers.dev" or domainname like "kevinmorredirects.workers.dev" or siteurl like "kevinmorredirects.workers.dev" or url like "kevinmorredirects.workers.dev" or domainname like "keymedla.com" or siteurl like "keymedla.com" or url like "keymedla.com" or domainname like "kindlyrviewdoc.nl" or siteurl like "kindlyrviewdoc.nl" or url like "kindlyrviewdoc.nl" or domainname like "lawsent.com" or siteurl like "lawsent.com" or url like "lawsent.com" or domainname like "livinsie.com" or siteurl like "livinsie.com" or url like "livinsie.com" or domainname like "lxkvt.com" or siteurl like "lxkvt.com" or url like "lxkvt.com" or domainname like "machavellii.workers.dev" or siteurl like "machavellii.workers.dev" or url like "machavellii.workers.dev" or domainname like "man-ex.com" or siteurl like "man-ex.com" or url like "man-ex.com" or domainname like "microcloudfiles.com" or siteurl like "microcloudfiles.com" or url like "microcloudfiles.com" or domainname like "microcloudfilestorage.com" or siteurl like "microcloudfilestorage.com" or url like "microcloudfilestorage.com" or domainname like "microsoft-clouds-onlines.com" or siteurl like "microsoft-clouds-onlines.com" or url like "microsoft-clouds-onlines.com" or domainname like "microsoftadmiin.com" or siteurl like "microsoftadmiin.com" or url like "microsoftadmiin.com" or domainname like "myskylinkdouble.workers.dev" or siteurl like "myskylinkdouble.workers.dev" or url like "myskylinkdouble.workers.dev" or domainname like "nextproject2025.com" or siteurl like "nextproject2025.com" or url like "nextproject2025.com" or domainname like "nuw0rk.workers.dev" or siteurl like "nuw0rk.workers.dev" or url like "nuw0rk.workers.dev" or domainname like "o365clouddocsstorage.com" or siteurl like "o365clouddocsstorage.com" or url like "o365clouddocsstorage.com" or domainname like "o365cloudfilesdocs.com" or siteurl like "o365cloudfilesdocs.com" or url like "o365cloudfilesdocs.com" or domainname like "o365microsoftsecurecloud.com" or siteurl like "o365microsoftsecurecloud.com" or url like "o365microsoftsecurecloud.com" or domainname like "o365securecloudfilesdrive.com" or siteurl like "o365securecloudfilesdrive.com" or url like "o365securecloudfilesdrive.com" or domainname like "obs3rv3r-1x1.workers.dev" or siteurl like "obs3rv3r-1x1.workers.dev" or url like "obs3rv3r-1x1.workers.dev" or domainname like "officefilecloudoc.com" or siteurl like "officefilecloudoc.com" or url like "officefilecloudoc.com" or domainname like "officefiledrivecloud.com" or siteurl like "officefiledrivecloud.com" or url like "officefiledrivecloud.com" or domainname like "officenotedrivecloud.com" or siteurl like "officenotedrivecloud.com" or url like "officenotedrivecloud.com" or domainname like "onlineboardminutes.com" or siteurl like "onlineboardminutes.com" or url like "onlineboardminutes.com" or domainname like "onlinememoffsecured.com" or siteurl like "onlinememoffsecured.com" or url like "onlinememoffsecured.com" or domainname like "onlyoneghost.workers.dev" or siteurl like "onlyoneghost.workers.dev" or url like "onlyoneghost.workers.dev" or domainname like "orionhatch.autos" or siteurl like "orionhatch.autos" or url like "orionhatch.autos" or domainname like "polepole21.workers.dev" or siteurl like "polepole21.workers.dev" or url like "polepole21.workers.dev"

    Detection Query 3 :

    domainname like "presido5g.workers.dev" or siteurl like "presido5g.workers.dev" or url like "presido5g.workers.dev" or domainname like "prestigemetall.com" or siteurl like "prestigemetall.com" or url like "prestigemetall.com" or domainname like "priorityclouddrive365files.com" or siteurl like "priorityclouddrive365files.com" or url like "priorityclouddrive365files.com" or domainname like "prioritysdenvers.com" or siteurl like "prioritysdenvers.com" or url like "prioritysdenvers.com" or domainname like "reidnfilescloud.com" or siteurl like "reidnfilescloud.com" or url like "reidnfilescloud.com" or domainname like "securedocumentsmicrocloudsdrivestorage.com" or siteurl like "securedocumentsmicrocloudsdrivestorage.com" or url like "securedocumentsmicrocloudsdrivestorage.com" or domainname like "share-onboarding.icu" or siteurl like "share-onboarding.icu" or url like "share-onboarding.icu" or domainname like "shared-document-onboarding.icu" or siteurl like "shared-document-onboarding.icu" or url like "shared-document-onboarding.icu" or domainname like "sharedcloudrive.com" or siteurl like "sharedcloudrive.com" or url like "sharedcloudrive.com" or domainname like "smart-pdf-53e6f9-0cd69-df8a0.online" or siteurl like "smart-pdf-53e6f9-0cd69-df8a0.online" or url like "smart-pdf-53e6f9-0cd69-df8a0.online" or domainname like "smartboardproposal.com" or siteurl like "smartboardproposal.com" or url like "smartboardproposal.com" or domainname like "soskuns.org" or siteurl like "soskuns.org" or url like "soskuns.org" or domainname like "speechmorphin.com" or siteurl like "speechmorphin.com" or url like "speechmorphin.com" or domainname like "thisusernameisnotactive.workers.dev" or siteurl like "thisusernameisnotactive.workers.dev" or url like "thisusernameisnotactive.workers.dev" or domainname like "triistrux.com" or siteurl like "triistrux.com" or url like "triistrux.com" or domainname like "tylxv.com" or siteurl like "tylxv.com" or url like "tylxv.com" or domainname like "w0rstdayofmylife.workers.dev" or siteurl like "w0rstdayofmylife.workers.dev" or url like "w0rstdayofmylife.workers.dev" or domainname like "worker1800.workers.dev" or siteurl like "worker1800.workers.dev" or url like "worker1800.workers.dev" or domainname like "yfful.com" or siteurl like "yfful.com" or url like "yfful.com" or domainname like "you-never-walk-alone009friend.workers.dev" or siteurl like "you-never-walk-alone009friend.workers.dev" or url like "you-never-walk-alone009friend.workers.dev" or domainname like "zeezee196112.workers.dev" or siteurl like "zeezee196112.workers.dev" or url like "zeezee196112.workers.dev"

    Reference:

    https://www.cloudflare.com/zh-cn/threat-intelligence/research/report/cloudflare-participates-in-global-operation-to-disrupt-raccoono365/


    Tags

    MalwareRaccoonO365PhishingCloudflareMicrosoftOffice 365

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.