Ro’ya Hatamleh of Microsoft explains how phishing-as-a-service operations like RaccoonO365 are scaling globally, why cloud-first regions such as the Middle East face heightened risk, and how organisations can counter AI-driven attacks through identity security and Zero Trust.
Phishing has evolved from opportunistic scams into a highly industrialised cybercrime model, driven by automation, artificial intelligence, and subscription-based criminal services. One of the most prominent examples is RaccoonO365, a phishing-as-a-service (PhaaS) operation that enabled large-scale credential theft across nearly 100 countries by lowering the technical barriers for cybercriminals.
Microsoft recently led a coordinated global takedown of RaccoonO365, seizing hundreds of domains and disrupting its infrastructure. The operation highlights both the growing sophistication of phishing campaigns and the importance of intelligence-led, collaborative defence in combating cybercrime at scale.
Ro’ya Hatamleh, Security Cloud Commercial Solutions, EMEA HQ – Middle East and Africa at Microsoft, spoke to Sandhya D’Mello, Technology Editor, CPI Media Group, about how the PhaaS model works, why cloud-first regions such as the Middle East face heightened risk, and how organisations can defend themselves against AI-driven phishing through strong identity security, Zero Trust principles, and continuous awareness.
Interview excerpts:
How does the phishing-as-a-service model like RaccoonO365 work, and why is it so powerful?
RaccoonO365 is a prime example of phishing-as-a-service (PhaaS), essentially a criminal subscription model. Even attackers with minimal technical skills can run large-scale phishing campaigns simply by paying a subscription fee. Once subscribed, they gain access to ready-made tools, templates, and email kits that mimic Microsoft 365 login pages, complete with convincing branding.
What makes it powerful are three key points:
- Scalability & Automation: Our investigation showed that RaccoonO365 could target up to 9,000 email addresses per day. Since July 2024, it was used to steal over 5,000 user credentials across 94 countries.
- Low Barrier to Entry: Cybercrime-in-a-box, anyone can use it without maintaining infrastructure.
- Continuous Evolution: Like a legitimate SaaS business, it offers updates and new features. For example, it recently introduced “AI Mail Chick”, an AI-powered tool that generates more convincing phishing emails.
“While many organisations were able to mitigate the impact through multi-factor authentication and other safeguards, the sheer scale of credential theft highlights how far automation has transformed phishing.”
This industrialised approach has made phishing campaigns faster, broader, and more efficient, turning what used to be manual, small-scale attacks into operations that resemble high-volume marketing campaigns.
What truly sets RaccoonO365 apart, however, is its commercialisation and profit motive. It was operated as a full-fledged business within criminal ecosystems, marketed openly across Telegram channels and underground forums to attract a paying customer base of other cybercriminals. By the time of its takedown, the group had over 850 members on Telegram and had received at least US $100,000 in cryptocurrency payments from subscriptions. Microsoft’s Digital Crimes Unit (DCU) seized 338 domains, took down RaccoonO365’s infrastructure, and identified its Nigeria-based operator for law enforcement. The action shows that while PhaaS fuels cybercrime-as-a-business, Microsoft’s intelligence and legal reach are reshaping the fight against it.
How vulnerable are enterprises and healthcare organisations in the Middle East?
The Middle East has embraced cloud services as a central element of digital transformation. According to a PWC Research, 68% of organisations in the region plan to migrate the majority of their operations to the cloud within the next two years, and many are evolving beyond basic lift-and-shift to modernise into cloud-native or hybrid architectures.
This rapid shift makes the region more attractive to cyber attackers, especially in high-stakes sectors like healthcare, finance, and government, which are often targeted for credential theft.
For example, if a hospital employee’s credentials are phished, attackers could gain access to confidential patient records or disrupt vital systems, potentially leading to serious operational and data breaches. While vulnerability is inevitable, it does not imply defenseless. Microsoft continues to invest in advanced security capabilities, and regional organisations show signs of being proactive. For instance, the 2025 PwC Digital Trust Insights report states that only 24% of respondents in the Middle East felt they were least prepared to address cloud-related threats over the next year, compared to 34% globally. Still, no region or industry is entirely immune to phishing. The human element remains the weakest link, even skilled professionals can be deceived by a convincing email, whether they’re in Dubai or London. The real threat lies not in the cloud itself, but in attackers exploiting weak credentials through phishing and social engineering. As digital transformation accelerates, identity has become the new security perimeter. Without consistent enforcement of multi-factor authentication (MFA), stolen credentials can enable attackers to impersonate legitimate users and bypass traditional defenses.
How can organisations defend against AI-driven phishing?
The simple rule is that you can’t fight AI-powered attacks without AI-powered defense. At Microsoft, AI is embedded across the entire security stack. Microsoft Threat Intelligence now processes 84 trillion signals per day, revealing the exponential growth in cyberattacks, including 7,000 password attacks per second, enabling Defender, Sentinel, and Security Copilot to detect and block phishing attempts at scale. This intelligence is shared globally, so if a suspicious IP address is flagged in one part of the world, protections are cascaded across products to safeguard customers everywhere.
However, technology alone is not enough. Strengthening identity and access protections is equally vital. Even the most convincing AI-generated phishing email can be neutralized with robust identity security, enforcing Multi-Factor Authentication (MFA) for all users and adopting phishing-resistant MFA (PRMFA). Conditional Access policies and risk-based sign-in detection add further layers of AI-driven defense, automatically flagging or blocking anomalous logins, such as impossible travel, unfamiliar devices, or unusual access patterns.
Across the Middle East, many organisations are also adopting a Zero Trust approach, a security model built on the principle of “never trust, always verify.” By assuming every user, device, or link could be malicious until verified, and continuously validating signals and identities, companies significantly reduce the chances of an AI-augmented phishing attack succeeding.
The human element remains critical, Microsoft helps organisations strengthen this layer through phishing education and simulation tools. We actively partner with government agencies and enterprises across the region to run awareness workshops, webinars, and public campaigns, including the annual Cybersecurity Awareness Month toolkit that provides internal resources like posters, slide decks, and short videos.
Ultimately, defending against AI-driven phishing requires a holistic approach, combining intelligent technology, strong identity protection, and ongoing human awareness to stay ahead of increasingly sophisticated attacks.
What are the biggest misconceptions about phishing risks?
A common misconception is that only naive individuals fall for phishing attempts. In reality, even seasoned professionals, including security experts, can be deceived by today’s AI-powered spear phishing. Another misconception is that phishing is an outdated or low-level threat. This is far from true, phishing remains the number one entry point for attackers worldwide, providing direct access to sensitive credentials and, ultimately, the “crown jewels” of an organisation. It is also often assumed that basic protections such as multi-factor authentication are sufficient. While MFA is critical, it is not foolproof, and continuous innovation is required, such as anomaly detection that can flag suspicious logins from unusual locations. Phishing continues to evolve rapidly, and Microsoft adapts in parallel by integrating AI-driven identity protections to ensure defenses remain ahead of attackers.
What long-term strategies is Microsoft pursuing globally?
Microsoft views the fight against phishing as part of a wider battle against cybercrime. One of its key strategies is Continuous Technical and Legal Disruption: in the recent RaccoonO365 case, Microsoft’s Digital Crimes Unit seized 338 domains, disabling the phishing network, and coordinated with Cloudflare to suspend infrastructure and ban domains. The takedown also involved tracing cryptocurrency flows via Chainalysis to help link operators to the attacks. For lasting impact, Microsoft continues to invest in next-generation investigative capabilities, including blockchain analytics, AI-driven threat intelligence, and cloud-scale forensics, to stay ahead of evolving criminal tactics and strengthen the global fight against cyber-enabled crime. The principle of collective defense is also central: Microsoft engages with partners, governments, and trusted third parties. In the RaccoonO365 operation, it worked directly with Cloudflare. More broadly, Microsoft operates the Government Security Program (GSP), which grants governments access to threat intelligence, code transparency, and coordinated security exchange. Microsoft also emphasises security by design and continuous innovation. Its approach is to embed intelligence and protection capabilities into its core security products, including integrating threat signals across Defender, Sentinel, and other tools. Finally, Microsoft promotes cybersecurity awareness as a foundational element. Through resources like the Be Cyber Smart Kit, the company helps organisations educate personnel on phishing risks, identity protection, and good security habits worldwide.
